## How to make replicated data secure (1988)

### Cached

### Download Links

- [www.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- [people.ischool.berkeley.edu]
- [www.cs.berkeley.edu]
- [www.cs.brown.edu]
- [www.cs.brown.edu]
- [cs.brown.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology - CRYPTO |

Citations: | 45 - 1 self |

### BibTeX

@INPROCEEDINGS{Herlihy88howto,

author = {Maurice P. Herlihy and J. D. Tygar},

title = {How to make replicated data secure},

booktitle = {Advances in Cryptology - CRYPTO},

year = {1988},

pages = {379--391},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Many distributed systems manage some form of long-lived data, such as files or data bases. The performance and fault-tolerance of such systems may be enhanced if the repositories for the data are physically distributed. Nevertheless, distribution makes security more difficult, since it may be difficult to ensure that each repository is physically secure, particularly if the number of repositories is large. This paper proposes new techniques for ensuring the security of long-lived, physically distributed data. These techniques adapt replication protocols for fault-tolerance to the more demanding requirements of security. For a given threshold value, one set of protocols ensures that an adversary cannot ascertain the state of a data object by observing the contents of fewer than a threshold of repositories. These protocols are cheap; the message traffic needed to tolerate a given number of compromised repositories is only slightly more than the message traffic needed to tolerate the same number of failures. A second set of protocols ensures that an objectâ€™s state cannot be altered by an adversary who can modify the contents of fewer than a threshold of repositories. These protocols are more expensive; to tolerate t-1 compromised repositories, clients executing certain operations must communicate with t-1 additional sites.

### Citations

3231 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...s of complexity theory, we do not have a way of proving bit-security without making some assumption about the lower bound on an algorithmic problem. For example, it has been shown [1] that the RSA th =-=[20]-=- cryptosystem is bit-secure under the assumption that taking k roots modulo pq, a product of two large primes, cannot be done in randomized polynomial time and that the Rabin [15] signature schemes is... |

3006 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...e show in the next section. 4. Public Key Secure Quorum Consensus In this section we describe a variant of SQC in which the bit-secure private key scheme is replaced by a bit-secure public key scheme =-=[6]-=-. Instead of a single key K, we use an encryption key K and a E decryption key K , where K cannot be derived from K with polynomial resources, and vice-versa. D D E Instead of a single threshold t, we... |

2496 | Time, clocks, and the ordering of events in a distributed system - Lamport - 1978 |

1968 | How to share a secret
- Shamir
(Show Context)
Citation Context ...ects each final Value quorum. Many other examples of replicated typed objects appear elsewhere [11]. 2.3. Shared Secrets In this section, we give a brief overview of Shamir's secret sharing algorithm =-=[22]-=-. This algorithm transforms a cleartext value v into n encrypted pieces such that any t pieces determine the value of v, but an adversary in possession of t-1 pieces has no information, in the sense d... |

936 |
Using encryption for authentication in large network of computer
- Needham, Schroeder
- 1978
(Show Context)
Citation Context ...er than t repositories. To keep our presentation as straightforward as possible, we assume that a communications subsystem provides secure and authenticated communication using known protocols, e.g., =-=[2, 14, 10, 8]-=-. Here, we consider only attacks that bypass the communications subsystem, isolating some set of repositories and directly observing or modifying their data. A natural basis for analyzing the costs of... |

627 |
How to generate cryptographically strong sequences of pseudo random bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ..., and Section 7 concludes with a survey of related work and a brief discussion. 2. Background 2.1. Terminology We use two notions of cryptographic security in this paper. One notion, of bit-security, =-=[3, 19]-=-, implies that given ciphertext, no processor with randomized polynomial resources can derive information about any given bit in the corresponding cleartext with certainty greater than 1/2+e for any e... |

557 | Weighted voting for replicated data
- Gifford
- 1979
(Show Context)
Citation Context ...he presence of some number of failures. In particular, the availability of long-lived data can be enhanced by storing the data redundantly at multiple sites, a technique commonly known as replication =-=[7, 11]-=-. In this paper, we consider how replication protocols originally proposed to enhance fault-tolerance can be adapted to the more demanding requirements of security. For a given threshold value t, we d... |

319 | Efficient randomized pattern-matching algorithms
- Karp, Rabin
- 1987
(Show Context)
Citation Context ...tions. 7 . The cleartext is encrypted together with a checksum that provides enough internal redundancy to detect any direct modifications to the ciphertext. Rabin and Karp have given such a checksum =-=[21]-=-. Another approach to this method is given by the more expensive technique of probabilistic encryption [9]. . The integrity threshold t is less than or equal to t (for private key SQC) or t (for publi... |

310 |
Digitized Signatures and Public-Key Functions As Intractable As Factorization
- Rabin
- 1979
(Show Context)
Citation Context ... [1] that the RSA th [20] cryptosystem is bit-secure under the assumption that taking k roots modulo pq, a product of two large primes, cannot be done in randomized polynomial time and that the Rabin =-=[15]-=- signature schemes is bit-secure if factorization is not in randomized polynomial time. (These assumptions are generally accepted by the academic computer science community.) The second notion, of per... |

212 |
Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract
- Chor, Goldwasser, et al.
(Show Context)
Citation Context ...security and fault-tolerance simultaneously with a single mechanism. Tompa and Woll [23] have given a stronger version of the secret sharing protocol that is also applicable to our model. Chor et al. =-=[4] have give-=-n a "verifiable secret sharing" protocol which ensures that the dealer 8 cannot cheat. Chor and Rabin [5] have shown how this protocol can be used to generate bits with a high degree of inde... |

153 | A quorum-consensus replication method for abstract data types
- HERLIHY
- 1986
(Show Context)
Citation Context ...he presence of some number of failures. In particular, the availability of long-lived data can be enhanced by storing the data redundantly at multiple sites, a technique commonly known as replication =-=[7, 11]-=-. In this paper, we consider how replication protocols originally proposed to enhance fault-tolerance can be adapted to the more demanding requirements of security. For a given threshold value t, we d... |

141 |
Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information
- Goldwasser, Micali
- 1982
(Show Context)
Citation Context ...epositories. It depends on the existence of a bit-secure private key encryption scheme, in which a single key K is used for both encryption and decryption. The encryption scheme must be probabilistic =-=[9]-=- to ensure that repeated instances of the same cleartext (e.g., Inc entries for a replicated counter) produce different ciphertext instances. 3.1. Overview The private key Secure Quorum Consensus (SQC... |

139 |
RSA and Rabin Functions: Certain Parts are as Hard as the Whole
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...en the current limits of complexity theory, we do not have a way of proving bit-security without making some assumption about the lower bound on an algorithmic problem. For example, it has been shown =-=[1]-=- that the RSA th [20] cryptosystem is bit-secure under the assumption that taking k roots modulo pq, a product of two large primes, cannot be done in randomized polynomial time and that the Rabin [15]... |

89 |
Knowledge complexity of interactive proofs
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...er than t repositories. To keep our presentation as straightforward as possible, we assume that a communications subsystem provides secure and authenticated communication using known protocols, e.g., =-=[2, 14, 10, 8]-=-. Here, we consider only attacks that bypass the communications subsystem, isolating some set of repositories and directly observing or modifying their data. A natural basis for analyzing the costs of... |

63 |
H.: How to Share a Secret with Cheaters
- Tompa, Woll
- 1986
(Show Context)
Citation Context ...ly low cost, as the system becomes more distributed. Unlike previous approaches, our protocol attacks the issues of security and fault-tolerance simultaneously with a single mechanism. Tompa and Woll =-=[23] have give-=-n a stronger version of the secret sharing protocol that is also applicable to our model. Chor et al. [4] have given a "verifiable secret sharing" protocol which ensures that the dealer 8 ca... |

41 | Secure communication using remote procedure calls
- Birrell
- 1985
(Show Context)
Citation Context ...er than t repositories. To keep our presentation as straightforward as possible, we assume that a communications subsystem provides secure and authenticated communication using known protocols, e.g., =-=[2, 14, 10, 8]-=-. Here, we consider only attacks that bypass the communications subsystem, isolating some set of repositories and directly observing or modifying their data. A natural basis for analyzing the costs of... |

23 |
Achieving independence in logarithmic number of rounds
- Chor, Rabin
- 1987
(Show Context)
Citation Context ...ion of the secret sharing protocol that is also applicable to our model. Chor et al. [4] have given a "verifiable secret sharing" protocol which ensures that the dealer 8 cannot cheat. Chor =-=and Rabin [5]-=- have shown how this protocol can be used to generate bits with a high degree of independence in a Byzantine distributed system. The verifiable secret sharing protocol can also be incorporated into ou... |

21 | Recursively structured distributed computing systems
- Randell
- 1983
(Show Context)
Citation Context ...with the most recent write quorum at some uncompromised repository, but such a guarantee may well be too weak for applications where integrity is of concern. 7. Remarks and Related Work Brian Randell =-=[17, 18]-=- posed the following question: can security and fault-tolerance be integrated in a single mechanism? This question challenges the traditional rule of thumb in security work that as a system becomes mo... |

11 |
Efficient parallel pseudorandom number generation
- Reif, Tygar
- 1988
(Show Context)
Citation Context ..., and Section 7 concludes with a survey of related work and a brief discussion. 2. Background 2.1. Terminology We use two notions of cryptographic security in this paper. One notion, of bit-security, =-=[3, 19]-=-, implies that given ciphertext, no processor with randomized polynomial resources can derive information about any given bit in the corresponding cleartext with certainty greater than 1/2+e for any e... |

9 | ITOSS: An integrated toolkit for operating system security - Rabin, Tygar - 1989 |

9 |
J.E.: Reliability and Security Issues in Distributed Computing Systems
- Randell, Dobson
- 1986
(Show Context)
Citation Context ...with the most recent write quorum at some uncompromised repository, but such a guarantee may well be too weak for applications where integrity is of concern. 7. Remarks and Related Work Brian Randell =-=[17, 18]-=- posed the following question: can security and fault-tolerance be integrated in a single mechanism? This question challenges the traditional rule of thumb in security work that as a system becomes mo... |

2 |
Proofs that yield nothing but the validity of their assertion
- Goldreich, Micali, et al.
(Show Context)
Citation Context |