## Secure distributed storage and retrieval (2000)

Citations: | 45 - 1 self |

### BibTeX

@MISC{Garay00securedistributed,

author = {Juan A. Garay and Rosario Gennaro and Charanjit Jutla and Tal Rabin},

title = { Secure distributed storage and retrieval },

year = {2000}

}

### Years of Citing Articles

### OpenURL

### Abstract

In his well-known Information Dispersal Algorithm paper, Rabin showed a way to distribute information in n pieces among n servers in such a way that recovery of the information is possible in the presence of up to t inactive servers. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their pieces of the information, was later presented by Krawczyk. Yet, these methods assume that the malicious faults occur only at reconstruction time. In this paper we address the more general problem of secure storage and retrieval of information (SSRI), and guarantee that also the process of storing the information is correct even when some of the servers fail. Our protocols achieve this while maintaining the (asymptotical) space optimality of the above methods. We also consider SSRI with the added requirement of con dentiality, by which no party except for the rightful owner of the information is able to learn anything about it. This is achieved through novel applications of cryptographic techniques, such as the distributed generation of receipts, distributed key management via threshold cryptography, and “blinding”. An

### Citations

3184 | A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al. - 1978 |

1946 | How to share a secret - Shamir - 1979 |

1241 | Probabilistic encryption - Goldwasser, Micali - 1984 |

1230 | A public key cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

868 | A digital signature scheme secure against adaptive chosen message attacks - Goldreich, Micali, et al. - 1988 |

488 | Efficient dispersal of information for security, load balancing, and fault tolerance - Rabin - 1989 |

444 |
Theory and Practice of Error-Control Codes
- Blahut
- 1983
(Show Context)
Citation Context ...ically consists of each processor's piece being hashed---the fingerprints, and then distributing this value among all servers using the coding function of an error correcting code (e.g., Reed-Solomon =-=[1]-=-) that is able to reconstruct from altered pieces. This way, the correct servers are able to reconstruct the fingerprints using the code's decoding function, check whether pieces of the file were corr... |

271 | Threshold Cryptosystems - Desmedt, Frankel - 1990 |

210 |
Verifiable Secret Sharing and Achieving Simultaneity
- Chor, Goldwasser, et al.
- 1985
(Show Context)
Citation Context ... file confidentially? Remember that in our design he communicates with the system through a single gateway, which means that if only the standard techniques of secret sharing reconstruction were used =-=[34, 7]-=-, then the gateway would know all the information available to the user. One novel component of our confidentiality protocol for the solution of the above problem is its distributed key management asp... |

192 | Proactive secret sharing or: How to cope with perpetual leakage - Herzberg, Jarecki, et al. - 1995 |

162 |
signatures for untraceable payments
- Blind
- 1992
(Show Context)
Citation Context ...for the solution of the above problem is its distributed key management aspect, achieved through the application of a combination of threshold cryptography (see Section 2.4.1) and blinding techniques =-=[5]-=-. The contributions of this paper can be summarized as follows: ffl We consider the more general problem of information storage and retrieval, guaranteeing that also the process of storing the informa... |

152 | How to withstand mobile virus attacks - Ostrovsky, Yung - 1991 |

131 | Robust Threshold DSS Signatures - Gennaro, Jarecki, et al. - 1996 |

109 |
Shared Generation of Authenticators and Signature
- Desmedt, Frankel
- 1991
(Show Context)
Citation Context ... cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19]. Protocols for RSA-based threshold cryptosystems include =-=[9, 10, 15, 18, 32]. In Appen-=-dix B we present an example of threshold cryptography applied to RSA [33]. 2.4.2 Blinding The cryptographic technique called "blinding" [5] can be explained as follows. Suppose that a server... |

104 |
Society and Group Oriented Cryptography: A New Concept
- Desmedt
- 1987
(Show Context)
Citation Context ...1 servers to be functioning in order to be able to compute the function FK , meaning that one can tolerate up to n \Gamma t \Gamma 1 crashes. Threshold cryptography was originated in works by Desmedt =-=[11]-=-, Boyd [2], Croft and Harris [8], and Desmedt and Frankel [12]. A survey of threshold cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be foun... |

100 |
Threshold cryptography
- Desmedt
(Show Context)
Citation Context ... 1 crashes. Threshold cryptography was originated in works by Desmedt [11], Boyd [2], Croft and Harris [8], and Desmedt and Frankel [12]. A survey of threshold cryptography techniques can be found in =-=[13]-=-. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19]. Protocols for RSA-based threshold cryptosystems include [9, 10, 15, 18, 32]. In Appendix B we present... |

91 | Proactive public key and signature systems - Herzberg, Jakobsson, et al. - 1997 |

68 | How to share a function securely - Santis, Desmedt, et al. - 1994 |

54 |
Maintaining Security in the Presence of Transient Faults
- Canetti, Herzberg
- 1994
(Show Context)
Citation Context ...he amortized sense) than the one of [28]. ffl "Proactive" SSRI: SSRI robust against an adversary which may corrupt all servers during the system's lifetime, but only up to t during each time=-= interval [29, 3]-=-. The remainder of the paper is organized as follows. In the next section we present the model, necessary definitions, and description of the tools that we use in this paper. In Section 3 we describe ... |

52 |
Optimal Resilience Proactive Public-Key Cryptosystems
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ...rited from the fault-tolerance of the distributed threshold signature/decryption protocols. As there exist distributed threshold signature/decryption protocols with optimal fault-tolerance (ns2t + 1) =-=[15, 18, 20, 14, 32]-=-, it follows that our protocols can also exhibit optimal fault-tolerance. 3 Integrity Only The protocols of this section extend the methods of [31, 27] for integrity to achieve SSRI while maintaining ... |

50 | Secret Sharing Made Short - Krawczyk - 1993 |

49 |
Digital Multisignatures
- Boyd
- 1989
(Show Context)
Citation Context ...o be functioning in order to be able to compute the function FK , meaning that one can tolerate up to n \Gamma t \Gamma 1 crashes. Threshold cryptography was originated in works by Desmedt [11], Boyd =-=[2]-=-, Croft and Harris [8], and Desmedt and Frankel [12]. A survey of threshold cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4... |

45 | Proactive RSA
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ...). Several proactive techniques have been presented in the past. Proactive protocols for secret sharing were presented in [25], while proactive protocols for threshold cryptography were introduced in =-=[24, 19, 16]-=-. A basic technique of Proactive Security is to introduce refreshment phases in the system. During a refreshment phase a server that has been broken into but is not anymore under the control of the ad... |

29 |
Efficient and secure multiparty generation of digital signatures based on discrete logarithms
- Cerecedo, Matsumoto, et al.
- 1993
(Show Context)
Citation Context ...d [2], Croft and Harris [8], and Desmedt and Frankel [12]. A survey of threshold cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in =-=[2, 4, 12, 23, 30, 19]-=-. Protocols for RSA-based threshold cryptosystems include [9, 10, 15, 18, 32]. In Appendix B we present an example of threshold cryptography applied to RSA [33]. 2.4.2 Blinding The cryptographic techn... |

26 | Witness-based Cryptographic Program Checking and Robust Function Sharing
- Frankel, Gemmell, et al.
- 1996
(Show Context)
Citation Context ... cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19]. Protocols for RSA-based threshold cryptosystems include =-=[9, 10, 15, 18, 32]. In Appen-=-dix B we present an example of threshold cryptography applied to RSA [33]. 2.4.2 Blinding The cryptographic technique called "blinding" [5] can be explained as follows. Suppose that a server... |

19 |
Public-key cryptography and re-usable shared secrets
- Croft, Harris
- 1989
(Show Context)
Citation Context ...der to be able to compute the function FK , meaning that one can tolerate up to n \Gamma t \Gamma 1 crashes. Threshold cryptography was originated in works by Desmedt [11], Boyd [2], Croft and Harris =-=[8]-=-, and Desmedt and Frankel [12]. A survey of threshold cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19]. Pro... |

18 | New Elgamal type threshold digital signature scheme,” IEICE transactions on fundamentals of electronics, communications and computer science - Park, Kurosawa - 1996 |

17 |
Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely
- Santis
- 1994
(Show Context)
Citation Context ... cryptography techniques can be found in [13]. Protocols for discrete log-based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19]. Protocols for RSA-based threshold cryptosystems include =-=[9, 10, 15, 18, 32]. In Appen-=-dix B we present an example of threshold cryptography applied to RSA [33]. 2.4.2 Blinding The cryptographic technique called "blinding" [5] can be explained as follows. Suppose that a server... |

13 | Veri able secret sharing and achieving simultaneity in the presence of faults - Chor, Goldwasser, et al. - 1985 |

12 | Blind signatures for untraceable payments, Advances in Cryptology - Crypto '82 - CHAUM - 1983 |

11 | Group oriented (t; n) digital signature scheme - Harn - 1994 |

9 | A Security Architecture for the Internet Protocol - Cheng, Garay, et al. - 1998 |

6 | A simpli ed approach to threshold and proactive RSA - Rabin - 1998 |

4 |
Design and Implementation of Modular Key Management Protocol and IP Secure Tunnel
- Chen, Garay, et al.
- 1996
(Show Context)
Citation Context ... the only thing we need is a reliable time-out mechanism, and a means to guarantee the freshness of authentication. Possible realizations of the latter are via time stamps, or just nonces. See, e.g., =-=[6]-=-. It is assumed that at any time during the life of the system, at most t of the n servers can malfunction, possibly in malicious ways. (This reflects the security concern we concentrate on in this pa... |

4 | Robust and e cient sharing of RSA functions - Gennaro, Jarecki, et al. - 1996 |

3 | to share a function securely - How - 1994 |

2 | Distributed ngerprints and secure information dispersal - Krawczyk - 1993 |

1 | Threshold cryptography, Eur - Desmedt - 1994 |

1 | Simpli ed vss and fast-track multiparty computations with applications to threshold cryptography - Gennaro, Rabin, et al. - 1997 |

1 | Secure Socket Library, Netscape Communications Corp. ¡http:==www.mcom.com=info =SSL.html - Hickman |