Pors: proofs of retrievability for large files

In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or back-up service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient for the user to recover F in its entirety. A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a large file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of F. In addition to proposing new, practical POR constructions, we explore implementation considerations and optimizations that bear on previously explored, related schemes. In a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition whose formulation is another contribution of our work. We view PORs as an important tool for semi-trusted online archives. Existing cryptographic techniques help users ensure the privacy and integrity of files they retrieve. It is also natural, however, for users to want to verify that archives do not delete or modify files prior to retrieval. The goal of a POR is to accomplish these checks without users having to download the files themselves. A POR can also provide quality-of-service guarantees, i.e., show that a file is retrievable within a certain time bound.

[1]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[2]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[3]  Oded Goldreich Randomness, interactive proofs, and zero-knowledge—A survey , 1988 .

[4]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[5]  Moti Yung,et al.  Zero-Knowledge Proofs of Computational Power (Extended Summary) , 1989, EUROCRYPT.

[6]  Kouichi Sakurai,et al.  On the Discrepancy between Serial and Parallel of Zero-Knowledge Protocols (Extended Abstract) , 1992, CRYPTO.

[7]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[8]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[9]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[10]  Michael K. Reiter,et al.  An Architecture for Survivable Coordination in Large Distributed Systems , 2000, IEEE Trans. Knowl. Data Eng..

[11]  Philippe Golle,et al.  Uncheatable Distributed Computations , 2001, CT-RSA.

[12]  John Black,et al.  Ciphers with Arbitrary Finite Domains , 2002, CT-RSA.

[13]  Michael Dahlin,et al.  Minimal Byzantine Storage , 2002, DISC.

[14]  Stanislaw Jarecki,et al.  Cryptographic Primitives Enforcing Communication and Storage Complexity , 2002, Financial Cryptography.

[15]  Hector Garcia-Molina,et al.  Peer-to-peer data trading to preserve information , 2002, TOIS.

[16]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[17]  Michael Burrows,et al.  A Cooperative Internet Backup Scheme , 2003, USENIX Annual Technical Conference, General Track.

[18]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[19]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[20]  Alok N. Choudhary,et al.  A Distributed Multi-Storage Resource Architecture and I/O Performance Prediction for Scientific Computing , 2004, Cluster Computing.

[21]  Rida A. Bazzi,et al.  Non-skipping Timestamps for Byzantine Data Storage Systems , 2004, DISC.

[22]  Dwaine E. Clarke,et al.  Towards constant bandwidth overhead integrity checking of untrusted data , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  Leslie Lamport,et al.  Interprocess Communication , 2020, Practical System Programming with C.

[24]  Yongdae Kim,et al.  Securing distributed storage: challenges, techniques, and systems , 2005, StorageSS '05.

[25]  Stefano Tessaro,et al.  Asynchronous verifiable information dispersal , 2005, 24th IEEE Symposium on Reliable Distributed Systems (SRDS'05).

[26]  Leslie Lamport,et al.  On interprocess communication , 1986, Distributed Computing.

[27]  Moni Naor,et al.  The complexity of online memory checking , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[28]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[29]  Helger Lipmaa,et al.  An Oblivious Transfer Protocol with Log-Squared Communication , 2005, ISC.

[30]  Stefano Tessaro,et al.  Optimal Resilience for Erasure-Coded Byzantine Distributed Storage , 2005, International Conference on Dependable Systems and Networks (DSN'06).

[31]  Jon Feldman,et al.  Using Many Machines to Handle an Enormous Error-Correcting Code , 2006, 2006 IEEE Information Theory Workshop - ITW '06 Punta del Este.

[32]  Paulo S. L. M. Barreto,et al.  Demonstrating data possession and uncheatable data transfer , 2006, IACR Cryptol. ePrint Arch..

[33]  Radu Sion,et al.  On the Computational Practicality of Private Information Retrieval , 2006 .

[34]  Mary Baker,et al.  Auditing to Keep Online Storage Services Honest , 2007, HotOS.

[35]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[36]  Amin Shokrollahi,et al.  Raptor Codes , 2007, 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks.