Abstract
Authenticated dictionaries are a widely discussed paradigm to enable verifiable integrity for data storage on untrusted servers, such as today’s widely used “cloud computing” resources, allowing a server to provide a “proof,” typically in the form of a slice through a cryptographic data structure, that the results of any given query are the correct answer, including that the absence of a query result is correct. Persistent authenticated dictionaries (PADs) further allow queries against older versions of the structure. This research presents implementations of a variety of different PAD algorithms, some based on Merkle tree-style data structures and others based on individually signed “tuple” statements (with and without RSA accumulators). We present system throughput benchmarks, indicating costs in terms of time, storage, and bandwidth as well as considering how much money would be required given standard cloud computing costs. We conclude that Merkle tree PADs are preferable in cases with frequent updates, while tuple-based PADs are preferable with higher query rates. For Merkle tree PADs, red-black trees outperform treaps and skiplists. Applying Sarnak-Tarjan’s versioned node strategy, with a cache of old hashes at every node, to red-black trees yields the fastest Merkle tree PAD implementation, notably using half the memory of the more commonly used mutation-free path copying strategy. For tuple PADs, although we designed and implemented an algorithm using RSA accumulators that offers constant update size, constant storage per update, constant proof size, and sublinear computation per update, we found that RSA accumulators are so expensive that they are never worthwhile. We find that other optimizations in the literature for tuple PADs are more cost-effective.
- Adelson-Velskii, G. and Landis, E. M. 1962. An algorithm for the organization of information. Proc. USSR Acad. Sci. 146, 263--266.Google Scholar
- Anagnostopoulos, A., Goodrich, M. T., and Tamassia, R. 2001. Persistent authenticated dictionaries and their applications. In Proceedings of the International Conference on Information Security (ISC). 379--393. Google Scholar
Digital Library
- Anderson, A. and Ottmann, T. 1991. Faster uniquely represented dictionaries. In Proceedings of the 32nd Annual Symposium on Foundations of Computer Science (SFCS). 642--649. Google Scholar
Digital Library
- Aragon, C. R. and Seidel, R. G. 1989. Randomized search trees. In Proceedings of the 30th Annual Symposium on Foundations of Computer Science (SFCS). 540--545. Google Scholar
Digital Library
- Bagwell, P. 2002. Fast functional lists, hash-lists, deques and variable length arrays. In Proceedings of the 14th International Workshop on Implementation of Functional Languages. 34. Google Scholar
Digital Library
- Bari, N. and Pfitzmann, B. 1997. Collision-free accumulators and fail-stop signature schemes without trees. In Proceedings of EuroCrypt. 480--494. Google Scholar
Digital Library
- Benaloh, J. and de Mare, M. 1993. One-way accumulators: A decentralized alternative to digital signatures. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EuroCrypt’93). 274--285. Google Scholar
Digital Library
- Blelloch, G. E. and Reid-Miller, M. 1998. Fast set operations using treaps. In Proceedings of the 10th Annual ACM Symposium on Parallel Algorithms and Architectures (SPAA). 16--26. Google Scholar
Digital Library
- Brodal, G. S. 1996. Partially persistent data structures of bounded degree with constant update time. Nordic J. Comput. 3, 3, 238--255. Google Scholar
Digital Library
- Camenisch, J. and Lysyanskaya, A. 2002. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of CRYPTO’02. 61--76. Google Scholar
Digital Library
- Camenisch, J., Kohlweiss, M., and Soriente, C. 2009. An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography (PKC’09). 481--500. Google Scholar
Digital Library
- Cohen, B. 2003. Incentives build robustness in BitTorrent. Tech. rep., bittorrent.org.Google Scholar
- Crosby, S. A. and Wallach, D. S. 2009. Super-efficient aggregating history-independent persistent authenticated dictionaries. In Proceedings of ESORICS’09. 671--688. Google Scholar
Digital Library
- Freudenthal, E., Herrera, D., Gutstein, S., Spring, R., and Longpre, L. 2007. Fern: An updatable authenticated dictionary suitable for distributed caching. In Computer Network Security. Communications in Computer and Information Science, vol. 1, Springer, Berlin, 141--146.Google Scholar
- Fu, K., Kaashoek, M. F., and Mazières, D. 2002. Fast and secure distributed read-only file system. ACM Trans. Comput. Syst. 20, 1, 1--24. Google Scholar
Digital Library
- Gassend, B., Suh, G., Clarke, D., Dijk, M., and Devadas, S. 2003. Caches and hash trees for efficient memory integrity verification. In Proceedings of the 9th International Symposium on High Performance Computer Architecture (HPCA). Google Scholar
Digital Library
- Goodrich, M., Tamassia, R., and Schwerin, A. 2001. Implementation of an authenticated dictionary with skip lists and commutative hashing. In Proceedings of the DARPA Information Survivability Conference & Exposition II (DISCEX II). 68--82.Google Scholar
- Goodrich, M. T., Tamassia, R., and Hasic, J. 2002. An efficient dynamic and distributed cryptographic accumulator. In Proceedings of the 5th International Conference on Information Security (ISC). 372--388. Google Scholar
Digital Library
- Goodrich, M. T., Papamanthou, C., Tamassia, R., and Triandopoulos, N. 2008. Athos: Efficient authentication of outsourced file systems. In Proceedings of the 11th International Conference on Information Security (ISC). 80--96. Google Scholar
Digital Library
- Gray, J. and Putzolu, F. 1987. The 5 minute rule for trading memory for disc accesses and the 10 byte rule for trading memory for cpu time. SIGMOD Rec. 16, 3, 395--398. Google Scholar
Digital Library
- Guibas, L. J. and Sedgewick, R. 1978. A dichromatic framework for balanced trees. In Proceedings of the 19th Annual Symposium on Foundations of Computer Science (SFCS). 8--21. Google Scholar
Digital Library
- Heitzmann, A., Palazzi, B., Papamanthou, C., and Tamassia, R. 2008. Efficient integrity checking of untrusted network storage. In Proceedings of the 4th ACM International Workshop on Storage Security and Survivability. 43--54. Google Scholar
Digital Library
- Kaplan, H. 2001. Persistent data structures. In Handbook on Data Structures and Applications, D. Mehta and S. Sahni, Eds. CRC Press.Google Scholar
- Kocher, P. C. 1998. On certificate revocation and validation. In Proceedings of the International Conference on Financial Cryptography (FC’98). 172--177. Google Scholar
Digital Library
- Li, J., Krohn, M., Mazières, D., and Shasha, D. 2004. Secure untrusted data repository (SUNDR). In Proceedings of the USENIX Symposium on Operating Systems Design & Implementation (OSDI). Google Scholar
Digital Library
- Li, J., Li, N., and Xue, R. 2007. Universal accumulators with efficient nonmembership proofs. In Proceedings of the 5th International Conference on Applied Cryptography and Network Security (ACNS). 253--269. Google Scholar
Digital Library
- Merkle, R. C. 1989. A certified digital signature. In Proceedings of CRYPTO’89. 218--238. Google Scholar
Digital Library
- Micali, S. 1996. Efficient certificate revocation. Tech. rep. TM-542b, Massachusetts Institute of Technology, Cambridge, MA. http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail\&id=oai%%3Ancstrlh%3Amitai%3AMIT-LCS%2F%2FMIT%2FLCS%2FTM-542b. Google Scholar
Digital Library
- Micciancio, D. 1997. Oblivious data structures: Applications to cryptography. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing (STOC). 456--464. Google Scholar
Digital Library
- Muthitacharoen, A., Morris, R., Gil, T., and Chen, B. 2002. Ivy: A read/write peer-to-peer file system. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI’02). Google Scholar
Digital Library
- Naccache, D., M’Raihi, D., Vaudenay, S., and Raphaeli, D. 1994. Can DSA be improved? Complexity trade-offs with the digital signature standard. In Proceedings of EuroCrypt. 77--85.Google Scholar
- Naor, M. and Nissim, K. 1998. Certificate revocation and certificate update. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Naor, M. and Teague, V. 2001. Anti-presistence: history independent data structures. In Proceedings of the 33rd Annual ACM Symposium on Theory of Computing (STOC). 492--501. Google Scholar
Digital Library
- Nguyen, L. 2005. Accumulators from bilinear pairings and applications. In Proceedings of the RSA Conference (CT-RSA). Cryptographers’ Track. 275--292. Google Scholar
Digital Library
- NIST Special Publication 800-57. 2007. Recommendation for Key Management --- Part 1: General. National Institute for Standards and Technology.Google Scholar
- Okasaki, C. 1999. Purely Functional Data Structures. Cambridge University Press. Google Scholar
Digital Library
- Papamanthou, C., Tamassia, R., and Triandopoulos, N. 2008. Authenticated hash tables. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’08). 437--448. Google Scholar
Digital Library
- Peterson, Z. N. J., Burns, R., Ateniese, G., and Bono, S. 2007. Design and implementation of verifiable audit trails for a versioning file system. In Proceedings of the USENIX Conference on File and Storage Technologies. Google Scholar
Digital Library
- Pugh, W. 1989. Skip lists: A probabilistic alternative to balanced trees. In Proceedings of the Workshop on Algorithms and Data Structures. 437--449. Google Scholar
Digital Library
- Rabin, M. O. 1980. Probabilistic algorithm for testing primality. J. Numb. Theor. 12, 1, 128--138.Google Scholar
Cross Ref
- Rogers, B., Chhabra, S., Prvulovic, M., and Solihin, Y. 2007. Using address independent seed encryption and bonsai merkle trees to make secure processors os- and performance-friendly. In Proceedings of the 40th Annual IEEE/ACM International Symposium on Microarchitecture. 183--196. Google Scholar
Digital Library
- Sandler, D. R., Derr, K., and Wallach, D. S. 2008. VoteBox: A tamper-evident, verifiable electronic voting system. In Proceedings of the 17th USENIX Security Symposium (Security’08). Google Scholar
Digital Library
- Sarnak, N. and Tarjan, R. E. 1986. Planar point location using persistent search trees. Comm. ACM 29, 7, 669--679. Google Scholar
Digital Library
- Shapiro, J. S. and Vanderburgh, J. 2002. Access and integrity control in a public-access, high-assurance configuration management system. In Proceedings of the USENIX Security Symposium. 109--120. Google Scholar
Digital Library
- Williams, P., Sion, R., and Shasha, D. 2009. The blind stone tablet: Outsourcing durability. In Proceedings of the 16th Annual Network and Distributed Systems Security Symposium (NDSS).Google Scholar
Index Terms
Authenticated Dictionaries: Real-World Costs and Trade-Offs
Recommendations
Transparency Logs via Append-Only Authenticated Dictionaries
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityTransparency logs allow users to audit a potentially malicious service, paving the way towards a more accountable Internet. For example, Certificate Transparency (CT) enables domain owners to audit Certificate Authorities (CAs) and detect impersonation ...
Convertible multi-authenticated encryption scheme
A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert ...
Practical convertible authenticated encryption schemes using self-certified public keys
A convertible authenticated encryption scheme allows a designated receiver to recover and verify a message simultaneously, during which the recipient can prove the dishonesty of the sender to any third party if the sender repudiates her signature later. ...






Comments