## Super-efficient Aggregating History-independent Persistent Authenticated Dictionaries

### Cached

### Download Links

Citations: | 6 - 2 self |

### BibTeX

@MISC{Crosby_super-efficientaggregating,

author = {Scott A. Crosby and Dan S. Wallach},

title = {Super-efficient Aggregating History-independent Persistent Authenticated Dictionaries },

year = {}

}

### OpenURL

### Abstract

Authenticated dictionaries allow users to send lookup requests to an untrusted server and get authenticated answers. Persistent authenticated dictionaries (PADs) add queries against historical versions. We consider a variety of different trust models for PADs and we present several extensions, including support for aggregation and a rich query language, as well as hiding information about the order in which PADs were constructed. We consider variations on treelike data structures as well as a design that improves efficiency by speculative future predictions. We improve on prior constructions and feature two designs that can authenticate historical queries with constant storage per update and several designs that can return constant-sized authentication results.

### Citations

250 | Ivy: A read/write peer-to-peer file system
- Muthitacharoen, Morris, et al.
- 2002
(Show Context)
Citation Context ...h value fixes the values of the entire tree. Hash-based data structures have been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems =-=[29, 24, 35, 16]-=-, graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordin... |

246 | Making data structures persistent
- Driscoll, Sarnak, et al.
- 1989
(Show Context)
Citation Context ...or tamper-evident log [11, 12, 37]. Root authenticators simplify the process of discovering when an untrusted author or server may be lying about the past. Mistrusting 1 In the persistency literature =-=[13]-=-, the term “persistent” is reserved for data structures where any version, present or past, may be updated, thus forming a tree of versions. Path copying trees, described in Sect. 3.3, are an example ... |

231 |
A dichromatic framework for balanced trees
- Guibas, Sedgewick
- 1978
(Show Context)
Citation Context ...n, difference, and intersection operations [6]. We could have used any other balanced search tree that supports O(1) expected (not amortized) node mutations per update, such as AVL or red-black trees =-=[20]-=-, but we preferred treaps for their set-uniqueness properties (discussed further below). Each node in a treap is given a key, value, priority, and left and right child pointers. Nodes in a treap obey ... |

226 | Purely Functional Data Structures
- Okasaki
- 1999
(Show Context)
Citation Context ... as well as the most recent version. Persistent data structures were developed to support these features and have been extensively studied [8, 22], particularly with respect to functional programming =-=[33, 4]-=-. Persistent authenticated dictionaries (PADs) combine these features and were introduced by Anagnostopoulos et al. [1], using applicative (i.e., functional or mutation-free) red-black trees and skipl... |

214 |
A digital signature based on a conventional encryption function
- Merkle
- 1988
(Show Context)
Citation Context ...nt-sized authentication results. 1 Introduction This paper considers data being stored in a cryptographic and tamper evident fashion. The earliest example of such a data structure was the Merkle tree =-=[26]-=-, where each tree node contains a cryptographic hash of its childrens’ contents. Consequently, the root node’s hash value fixes the values of the entire tree. Hash-based data structures have been used... |

204 | How to time-stamp a digital document
- Haber, Stornetta
(Show Context)
Citation Context ... if there was a single value that fixes or commits the entire dictionary at that particular time. This value can then be stored and replicated efficiently by clients, stored in a time-stamping system =-=[21, 9]-=-, or tamper-evident log [11, 12, 37]. Root authenticators simplify the process of discovering when an untrusted author or server may be lying about the past. Mistrusting 1 In the persistency literatur... |

175 | Fast and secure distributed read-only file system
- Fu, Kaashoek, et al.
- 2002
(Show Context)
Citation Context ...h value fixes the values of the entire tree. Hash-based data structures have been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems =-=[29, 24, 35, 16]-=-, graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordin... |

172 |
Planar point location using persistent search trees
- Sarnak, Tarjan
- 1986
(Show Context)
Citation Context ...k trees and skiplists, requiring O(log n) storage per update. In Sect. 2 we discuss threat models and features that PADs may support. In Sect. 3, we show how to adapt Sarnak and Tarjan’s construction =-=[36]-=- in order to build PADs ⋆ The authors wish to thank the anonymous referees for their helpful comments and feedback. We also thank the program chairs for allowing us to expand our paper beyond its orig... |

168 | Dynamic accumulators and application to efficient revocation of anonymous credentials
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...e. 4.4 Tuple PADs based on RSA accumulators RSA accumulators [5] are a useful way to authenticate a set with a concise O(1) summary, which can be signed using digital signatures. Dynamic accumulators =-=[10, 18, 34]-=- permit efficient incremental update of accumulator without requiring that it be regenerated. Membership of an element in the set is proved with witnesses, which may be computed by the untrusted serve... |

144 | Certificate revocation and certificate update
- Naor, Nissim
- 1998
(Show Context)
Citation Context ..., distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary =-=[31, 23]-=- abstraction, which supports ordinary dictionary operations, with lookups returning the answer and a proof of its correctness. In systems where data changes values over time, such as stock ticker data... |

139 | Secure untrusted data repository (SUNDR
- Li, Krohn, et al.
- 2004
(Show Context)
Citation Context ...h value fixes the values of the entire tree. Hash-based data structures have been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems =-=[29, 24, 35, 16]-=-, graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordin... |

136 | Randomized search trees
- Seidel, Aragon
- 1996
(Show Context)
Citation Context ...ed or included the hash of a node in a proof, it will now include the node’s hash and aggregate, which can be cached or recomputed as-needed. 3.2 Treap Our tree-based dictionaries are based on treaps =-=[3]-=-, a randomized search tree implementing a dictionary. The expected cost of an insert, delete, or lookup is O(log n). Treaps support efficient set union, difference, and intersection operations [6]. We... |

114 | One-way accumulators: a decentralized alternative to digital signatures
- Benaloh, Mare
- 1993
(Show Context)
Citation Context ...bined with tuple-superseding (with our without using iterated hashes) to reduce the number of tuples the server must save to O(C) per update. 4.4 Tuple PADs based on RSA accumulators RSA accumulators =-=[5]-=- are a useful way to authenticate a set with a concise O(1) summary, which can be signed using digital signatures. Dynamic accumulators [10, 18, 34] permit efficient incremental update of accumulator ... |

110 |
Security audit logs to support computer forensics
- Schneier, Kelsey
- 1999
(Show Context)
Citation Context ...been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging =-=[11, 12, 37]-=-, and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordinary dictionary operations, with lookups returning the answer and a proof ... |

95 | Checking the correctness of memories
- Blum, Gemmell, et al.
- 1991
(Show Context)
Citation Context ...istent data structures [13] as well as extending our designs to support outsourced storage where a trusted device uses a small amount of trusted storage to detect faults in a larger untrusted storage =-=[7, 14]-=-. If persistence is unnecessary, but authentication is, our techniques should be easily simplified to only preserve the data necessary to authenticate the latest snapshot. We plan to adapting speculat... |

91 | Efficient certificate revocation
- Micali
- 1996
(Show Context)
Citation Context ...ys in earlier snapshots. Iterated hash functions. Public key signatures are notably slow to generate and verify. In contrast, cryptographic hash functions are very fast. With a light-weight signature =-=[27]-=- implemented by iterated hash functions, we can indicate that a tuple is refreshed. Rather than signing each superseded tuple, the author now only signs the tuple: (vα, Hm (R), [k j, k j+1), c j) wher... |

85 |
On certificate revocation and validation
- Kocher
- 1998
(Show Context)
Citation Context ..., distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary =-=[31, 23]-=- abstraction, which supports ordinary dictionary operations, with lookups returning the answer and a proof of its correctness. In systems where data changes values over time, such as stock ticker data... |

57 | Persistent authenticated dictionaries and their applications
- Anagnostopoulos, Goodrich, et al.
- 2001
(Show Context)
Citation Context ...nsively studied [8, 22], particularly with respect to functional programming [33, 4]. Persistent authenticated dictionaries (PADs) combine these features and were introduced by Anagnostopoulos et al. =-=[1]-=-, using applicative (i.e., functional or mutation-free) red-black trees and skiplists, requiring O(log n) storage per update. In Sect. 2 we discuss threat models and features that PADs may support. In... |

49 | Authenticated data structures for graph and geometric searching
- Goodrich, Tamassia, et al.
(Show Context)
Citation Context ...h-based data structures have been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems [29, 24, 35, 16], graph and geometric searching =-=[19]-=-, tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordinary dictionary operations, with look... |

42 | Caches and hash trees for efficient memory integrity verification
- Gassend, Suh, et al.
- 2003
(Show Context)
Citation Context ...ts childrens’ contents. Consequently, the root node’s hash value fixes the values of the entire tree. Hash-based data structures have been used in a variety of different systems, including smartcards =-=[17]-=-, outsourced databases [41], distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around th... |

40 | An efficient dynamic and distributed cryptographic accumulator
- Goodrich, Tamassia, et al.
(Show Context)
Citation Context ...e. 4.4 Tuple PADs based on RSA accumulators RSA accumulators [5] are a useful way to authenticate a set with a concise O(1) summary, which can be signed using digital signatures. Dynamic accumulators =-=[10, 18, 34]-=- permit efficient incremental update of accumulator without requiring that it be regenerated. Membership of an element in the set is proved with witnesses, which may be computed by the untrusted serve... |

34 | Can DSA be improved? Complexity trade-offs with the digital signature standard
- Naccache, M’Raihi, et al.
- 1994
(Show Context)
Citation Context ...ortized number of signatures per update is O(E1 + n/E1), with a minimum when E1 = √ n. If DSA signatures are used, latency can be reduced at the start of an epoch by partially precomputing signatures =-=[30]-=-. This creates a super-efficient, history-independent PAD with O( √ n) signatures and O( √ n) storage per update. Note that speculation makes a PAD no longer history independent because the tuples in ... |

31 | Oblivious data structures: Applications to cryptography
- Micciancio
- 1997
(Show Context)
Citation Context ...hey were constructed. For instance, if data items are stored, sorted in an array, no information would remain as to the insertion order. History independence can derive from randomization; Micciancio =-=[28]-=- shows a 2-3 tree whose structure depends on coin tosses, not the keys’ insertion order. History independence can also derive from data structures that have a canonical or unique representation [32]. ... |

28 | Anti-presistence: history independent data structures
- Naor, Teague
- 2001
(Show Context)
Citation Context ...o [28] shows a 2-3 tree whose structure depends on coin tosses, not the keys’ insertion order. History independence can also derive from data structures that have a canonical or unique representation =-=[32]-=-. To this end, our data structures are “set-unique” [2], meaning that a given set of keys in the dictionary has a unique and canonical representation (see Sect. 3.2). Our tree-based PAD designs and so... |

26 | Optimally efficient accountable time-stamping
- Buldas, Lipmaa, et al.
- 2000
(Show Context)
Citation Context ... if there was a single value that fixes or commits the entire dictionary at that particular time. This value can then be stored and replicated efficiently by clients, stored in a time-stamping system =-=[21, 9]-=-, or tamper-evident log [11, 12, 37]. Root authenticators simplify the process of discovering when an untrusted author or server may be lying about the past. Mistrusting 1 In the persistency literatur... |

25 | Authenticated hash tables
- Papamanthou, Tamassia, et al.
(Show Context)
Citation Context ...e. 4.4 Tuple PADs based on RSA accumulators RSA accumulators [5] are a useful way to authenticate a set with a concise O(1) summary, which can be signed using digital signatures. Dynamic accumulators =-=[10, 18, 34]-=- permit efficient incremental update of accumulator without requiring that it be regenerated. Membership of an element in the set is proved with witnesses, which may be computed by the untrusted serve... |

18 | Efficient data structures for tamper-evident logging
- Crosby, Wallach
- 2009
(Show Context)
Citation Context ...been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging =-=[11, 12, 37]-=-, and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordinary dictionary operations, with lookups returning the answer and a proof ... |

13 | Partially persistent data structures of bounded degree with constant update time
- Brodal
- 1996
(Show Context)
Citation Context ...t to query historical versions or snapshots of the repository as well as the most recent version. Persistent data structures were developed to support these features and have been extensively studied =-=[8, 22]-=-, particularly with respect to functional programming [33, 4]. Persistent authenticated dictionaries (PADs) combine these features and were introduced by Anagnostopoulos et al. [1], using applicative ... |

12 | How efficient can memory checking be
- Dwork, Naor, et al.
- 2009
(Show Context)
Citation Context ...istent data structures [13] as well as extending our designs to support outsourced storage where a trusted device uses a small amount of trusted storage to detect faults in a larger untrusted storage =-=[7, 14]-=-. If persistence is unnecessary, but authentication is, our techniques should be easily simplified to only preserve the data necessary to authenticate the latest snapshot. We plan to adapting speculat... |

11 | Design and Implementation of Verifiable Audit Trails for a Versioning File System
- PETERSON, BURNS, et al.
- 2007
(Show Context)
Citation Context |

10 | Making data structures confluently persistent
- Fiat, Kaplan
- 2001
(Show Context)
Citation Context ... thus forming a tree of versions. Path copying trees, described in Sect. 3.3, are an example of such a data structure. Confluently persistent data structures permit merge operations between snapshots =-=[15]-=-.clients need only to discover that the author has signed different root authenticators for the same snapshot. They need not look any deeper. 3 Tree-based PADs In this section, we describe how we can... |

10 | Persistent data structures
- Kaplan
- 2001
(Show Context)
Citation Context ...t to query historical versions or snapshots of the repository as well as the most recent version. Persistent data structures were developed to support these features and have been extensively studied =-=[8, 22]-=-, particularly with respect to functional programming [33, 4]. Persistent authenticated dictionaries (PADs) combine these features and were introduced by Anagnostopoulos et al. [1], using applicative ... |

9 | Access and integrity control in a public-access, high-assurance configuration management system
- Shapiro, Vanderburgh
- 2002
(Show Context)
Citation Context ...s ordinary dictionary operations, with lookups returning the answer and a proof of its correctness. In systems where data changes values over time, such as stock ticker data, revision control systems =-=[38]-=-, or public key infrastructure, participants will want to query historical versions or snapshots of the repository as well as the most recent version. Persistent data structures were developed to supp... |

9 | The blind stone tablet: Outsourcing durability
- Williams, Sion, et al.
- 2009
(Show Context)
Citation Context ...sequently, the root node’s hash value fixes the values of the entire tree. Hash-based data structures have been used in a variety of different systems, including smartcards [17], outsourced databases =-=[41]-=-, distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging [11, 12, 37], and many others. These systems are often built around the authenticated dictionary ... |

8 |
Time-scoped searching of encrypted audit logs
- Davis, Monrose, et al.
- 2004
(Show Context)
Citation Context ...been used in a variety of different systems, including smartcards [17], outsourced databases [41], distributed filesystems [29, 24, 35, 16], graph and geometric searching [19], tamper-evident logging =-=[11, 12, 37]-=-, and many others. These systems are often built around the authenticated dictionary [31, 23] abstraction, which supports ordinary dictionary operations, with lookups returning the answer and a proof ... |

8 |
A new dynamic accumulator for batch updates
- Wang, Wang, et al.
- 2007
(Show Context)
Citation Context ...he set is proved with witnesses, which may be computed by the untrusted server. Recent developments include an accumulator supporting efficient non-membership proofs [25] or batch update of witnesses =-=[39, 40]-=-. By storing tuples in a signed accumulator, the update size for a snapshot can be reduced to O(1) while supporting a root authenticator. We leave the complete design and evaluation of such PADs to fu... |

7 | Faster uniquely represented dictionaries - Anderson, Ottmann - 1991 |

7 | Fast functional lists, hash-lists, deques and variable length arrays
- Bagwell
- 2002
(Show Context)
Citation Context ... as well as the most recent version. Persistent data structures were developed to support these features and have been extensively studied [8, 22], particularly with respect to functional programming =-=[33, 4]-=-. Persistent authenticated dictionaries (PADs) combine these features and were introduced by Anagnostopoulos et al. [1], using applicative (i.e., functional or mutation-free) red-black trees and skipl... |

3 |
Improvement of a dynamic accumulator at ICICS 07 and its application in multi-user keyword-based retrieval on encrypted data
- Wang, Wang, et al.
- 2008
(Show Context)
Citation Context ...he set is proved with witnesses, which may be computed by the untrusted server. Recent developments include an accumulator supporting efficient non-membership proofs [25] or batch update of witnesses =-=[39, 40]-=-. By storing tuples in a signed accumulator, the update size for a snapshot can be reduced to O(1) while supporting a root authenticator. We leave the complete design and evaluation of such PADs to fu... |