Abstract
We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems. The model is also robust in that it incorporates mechanisms for mitigating arbitrary amounts of data corruption.
We present two provably-secure PDP schemes that are more efficient than previous solutions. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. We then propose a generic transformation that adds robustness to any remote data checking scheme based on spot checking. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. Finally, we conduct an in-depth experimental evaluation to study the tradeoffs in performance, security, and space overheads when adding robustness to a remote data checking scheme.
Supplemental Material
Available for Download
Supplemental movie, image and appendix files for, Remote data checking using provable data possession
- Abe, M. and Fehr, S. 2007. Perfect NIZK with adaptive soundness. In Proceedings of the Theory of Cryptography. Google Scholar
Digital Library
- Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., and Song, D. 2007. Provable data possession at untrusted stores. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), ACM, New York. Google Scholar
Digital Library
- Ateniese, G., Pietro, R. D., Mancini, L. V., and Tsudik, G. 2008. Scalable and efficient provable data possession. In Proceedings of Securecomm. Google Scholar
Digital Library
- Bellare, M., Garay, J., and Rabin, T. 1998. Fast batch verification for modular exponentiation and digital signatures. In Advances of Cryptology (EUROCRYPT '98). Lecture Notes in Computer Science, vol. 1403, Springer, Berlin, 236--250.Google Scholar
- Bellare, M. and Goldreich, O. 1992. On defining proofs of knowledge. In Proceedings of CRYPTO'92. Google Scholar
Digital Library
- Bellare, M. and Palacio, A. 2004a. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In Advances in Cryptology (CRYPTO'04), Lecture Notes in Computer Science, vol. 3152, Springer, Berlin, 227--232.Google Scholar
- Bellare, M. and Palacio, A. 2004b. Towards plaintext-aware public-key encryption without random oracles. In Advances in Cryptology (ASIACRYPT'04), Lecture Notes in Computer Science, vol. 3329, Springer, Berlin, 48--62.Google Scholar
- Bellare, M. and Rogaway, P. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS'93). ACM, New York, 62--73. Google Scholar
Digital Library
- Bellare, M. and Rogaway, P. 1996. The exact security of digital signatures—How to sign with RSA and Rabin. In Advances in Cryptology (EUROCRYPT'96), Lecture Notes in Computer Science, vol. 1070, Springer, Berlin, 399--416. Google Scholar
Digital Library
- Bellare, M. and Rogaway, P. 1998. PSS: Provably secure encoding method for digital signatures. IEEE P1363a: Provably secure signatures.Google Scholar
- Black, J. and Rogaway, P. 2002. Ciphers with arbitrary finite domains. In Topics in Cryptology (CT-RSA), Lecture Notes in Computer Science, vol. 2271, Springer, Berlin, 185--203. Google Scholar
Digital Library
- Boneh, D., Gentry, C., Lynn, B., and Shacham, H. 2003. Aggregate and verifiably encrypted signatures from bilinear maps. In Advances in Cryptology (EUROCRYPT'03), Lecture Notes in Computer Science, vol. 2656, Springer, Berlin, 416--432. Google Scholar
Digital Library
- Bowers, K. D., Juels, A., and Oprea, A. 2009a. HAIL: A high-availability and integrity layer for cloud storage. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM, New York. Google Scholar
Digital Library
- Bowers, K. D., Juels, A., and Oprea, A. 2009b. Proofs of retrievability: Theory and implementation. In Proceedings of the ACM Workshop on Cloud Computing Security (CCSW'09). ACM, New York. Google Scholar
Digital Library
- Byers, J. W., Luby, M., Mitzenmacher, M., and Rege, A. 1998. A digital fountain approach to reliable distribution of bulk data. ACM SIGCOMM Comput. Comm. Rev. 28, 4, 56--67. Google Scholar
Digital Library
- Chen, B., Curtmola, R., Ateniese, G., and Burns, R. 2010. Remote data checking for network coding-based distributed storage systems. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW'10). ACM, New York. Google Scholar
Digital Library
- Curtmola, R., Khan, O., and Burns, R. 2008. Robust remote data checking. In Proceedings of the ACM International Workshop on Storage Security and Survivability (StorageSS'08), ACM, New York. Google Scholar
Digital Library
- Curtmola, R., Khan, O., Burns, R., and Ateniese, G. 2008. MR-PDP: Multiple-replica provable data possession. In Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS'08), IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Damgard, I. 1992. Towards practical public key systems secure against chosen ciphertext attacks. In Advances in Cryptology (CRYPTO'91), J. Feigenbaum Ed., Lecture Notes in Computer Science, vol. 576, Springer, Berlin, 445--456. Google Scholar
Digital Library
- Dent, A. W. 2006a. The Cramer-Shoup encryption scheme is plaintext aware in the standard model. In Advances in Cryptology (EUROCRYPT'06), Lecture Notes in Computer Science, vol. 4004, Springer, Berlin, 289--307. Google Scholar
Digital Library
- Dent, A. W. 2006b. The hardness of the DHK problem in the generic group model. Cryptology ePrint Archive rep. 2006/156. http://eprint.iacr.org/2006/156.Google Scholar
- Deswarte, Y., Quisquater, J.-J., and Saidane, A. 2003. Remote integrity checking. In Proceedings of the IFIP TC11/WG11.5 6th Working Conference on Integrity and Internal Control in Information Systems (IICIS). IFIP International Federation for Information Processing, 2004, vol. 140, 1--11.Google Scholar
- Erway, C., Kupcu, A., Papamanthou, C., and Tamassia, R. 2009. Dynamic provable data possession. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York. Google Scholar
Digital Library
- Fiat, A. 1990. Batch RSA. In Advances in Cryptology (CRYPTO'89), Lecture Notes in Computer Science, vol. 435, Springer, Berlin,175--185. Google Scholar
Digital Library
- Filho, D. L. G. and Baretto, P. S. L. M. 2006. Demonstrating data possession and uncheatable data transfer. IACR ePrint Archive. rep. 2006/150, http://eprint.iacr.org/2006/150.Google Scholar
- Golle, P., Jarecki, S., and Mironov, I. 2002. Cryptographic primitives enforcing communication and storage complexity. In Financial Cryptography, Lecture Notes in Computer Science, vol. 2357, Springer, Berlin, 120--135. Google Scholar
Digital Library
- Hada, S. and Tanaka, T. 1998. On the existence of 3-round zero-knowledge protocols. In Advances In Cryptology (CRYPTO'98), Lecture Notes in Computer Science, vol. 1462, Springer, Berlin, 197--202. Google Scholar
Digital Library
- Harn, L. 1998. Batch verifying multiple RSA digital signatures. Electron. Lett. 34, 12, 1219--1220.Google Scholar
Cross Ref
- Iozone. Iozone filesystem benchmark. http://www.iozone.org/.Google Scholar
- Juels, A. and Kaliski, B. S. 2007. PORs: Proofs of retrievability for large files. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York. Google Scholar
Digital Library
- Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., and Fu, K. 2003. Plutus: Scalable secure file sharing on untrusted storage. In Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST'03). USENIX Association Berkeley, CA. Google Scholar
Digital Library
- Kotla, R., Alvisi, L., and Dahlin, M. 2007. Safestore: A durable and practical storage system. In Proceedings of the USENIX Annual Technical Conference (ATC'07). USENIX Association Berkeley, CA. Google Scholar
Digital Library
- Krawczyk, H. 2005. HMQV: A high-performance secure Diffie-Hellman protocol. In Advances In Cryptology (CRYPTO'05), Lecture Notes in Computer Science, vol. 3621, Springer, Berlin, 546--566. Google Scholar
Digital Library
- Kubiatowicz, J., Bindel, D., Chen, Y., Eaton, P., Geels, D., Gummadi, R., Rhea, S., Weatherspoon, H., Weimer, W., Wells, C., and Zhao, B. 2000. In Proceedings of the ACM 9th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'00). ACM, New York.Google Scholar
- Li, J., Krohn, M., Mazeres, D., and Shasha, D. 2004. Secure untrusted data repository (SUNDR). In Proceedings of the 6th Conference on the Symposium on Operating Systems Design & Implementation (OSDI'04). vol. 6, USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Maheshwari, U., Vingralek, R., and Shapiro, W. 2000. How to build a trusted database system on untrusted storage. In Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation (OSDI'00). vol. 4, USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Maniatis, P., Roussopoulos, M., Giuli, T., Rosenthal, D., Baker, M., and Muliadi, Y. 2005. The LOCKSS peer-to-peer digital preservation system. ACM Trans. Comput. Syst. 23, 1, 2--50. Google Scholar
Digital Library
- Maymounkov, P. 2003. Online codes. New York University, Tech. rep. TR2003-883.Google Scholar
- Micali, S., Ohta, K., and Reyzin, L. 2001. Accountable-subgroup multisignatures: extended abstract. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS'01), ACM, New York, 245--254. Google Scholar
Digital Library
- Miller, G. L. 1976. Riemann's hypothesis and tests for primality. J. Comput. Syst. Sci. 13, 3, 300--317. Google Scholar
Digital Library
- Mykletun, E., Narasimha, M., and Tsudik, G. 2006. Authentication and integrity in outsourced databases. ACM Trans. Storage. 2, 2. Google Scholar
Digital Library
- Naor, M. and Rothblum, G. N. 2005. The complexity of online memory checking. In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Okamoto, T. 1988. A digital multisignature schema using bijective public-key cryptosystems. ACM Trans. Comput. Syst. 6, 4, 432--441. Google Scholar
Digital Library
- Oprea, A., Reiter, M. K., and Yang, K. 2005. Space-efficient block storage integrity. In Proceedings of the NDSS Symposium.Google Scholar
- Plank, J. S. 2005. Erasure codes for storage applications. Tutorial Slides, USENIX FAST'05.Google Scholar
- Plank, J. S., Simmerman, S., and Schuman, C. D. 2008. Jerasure: A library in C/C++ facilitating erasure coding for storage applications, Version 1.2. Tech. rep. CS-08-627, University of Tennessee.Google Scholar
- Plank, J. S. and Xu, L. 2006. Optimizing Cauchy Reed-Solomon codes for fault-tolerant network storage applications. In Proceedings of the 5th IEEE International Symposium on Network Computing and Applications (NCA'06). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Schwarz, T. S. J. and Miller, E. L. 2006. Store, forget, and check: Using algebraic signatures to check remotely administered storage. In Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06), IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Sebe, F., Martinez-Balleste, A., Deswarte, Y., Domingo-Ferrer, J., and Quisquater, J.-J. 2004. Time bounded remote file integrity checking. Tech. rep. 04429, LAAS.Google Scholar
- Shacham, H. and Waters, B. 2008. Compact proofs of retrievability. In Advances in Cryptology (ASIACRYPT'08), Lecture Notes in Computer Science, vol. 5350, Springer, Berlin, 90--107. Google Scholar
Digital Library
- Shah, M., Baker, M., Mogul, J. C., and Swaminathan, R. 2007. Auditing to keep online storage services honest. In Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS'07), USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Shah, M. A., Swaminathan, R., and Baker, M. 2008. Privacy-preserving audit and extraction of digital contents. ePrint Archive rep. 2008/186.Google Scholar
- Shamir, A. 1983. On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1, 1, 38--44. Google Scholar
Digital Library
- Wang, C., Wang, Q., Ren, K., and Lou, W. 2009. Ensuring data storage security in cloud computing. In Proceedings of the 17th International Workshop on Quality of Service (IWQoS), IEEE, Los Alamitos, CA, 1--9.Google Scholar
- Yamamoto, G., Fujisaki, E., and Abe, M. 2005. An efficiently-verifiable zero-knowledge argument for proofs of knowledge. Tech. rep. ISEC2005-48, IEICE.Google Scholar
- Yamamoto, G., Oda, S., and Aoki, K. 2007. Fast integrity for large data. In Proceedings of SPEED'07.Google Scholar
- Yumerefendi, A. Y. and Chase, J. 2007. Strong accountability for network storage. In Proceedings of the Workshop Record on Fast Integrity for Large Data (FAST'07). Google Scholar
Digital Library
Index Terms
Remote data checking using provable data possession
Recommendations
Provable data possession at untrusted stores
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession ...
Scalable and efficient provable data possession
SecureComm '08: Proceedings of the 4th international conference on Security and privacy in communication netowrksStorage outsourcing is a rising trend which prompts a number of interesting security issues, many of which have been extensively investigated in the past. However, Provable Data Possession (PDP) is a topic that has only recently appeared in the research ...
Robust remote data checking
StorageSS '08: Proceedings of the 4th ACM international workshop on Storage security and survivabilityRemote data checking protocols, such as provable data possession (PDP) [1], allow clients that outsource data to untrusted servers to verify that the server continues to correctly store the data. Through the careful integration of forward error-...








Comments