Remote integrity check with dishonest storage server

Abstract

We are interested in this problem: a verifier, with a small and reliable storage, wants to periodically check whether a remote server is keeping a large file x. A dishonest server, by adapting the challenges and responses, tries to discard partial information of x and yet evades detection. Besides the security requirements, there are considerations on communication, storage size and computation time. Juels et al. [10] gave a security model for Proof of Retrievability ( ) system. The model imposes a requirement that the original x can be recovered from multiple challenges-responses. Such requirement is not necessary in our problem. Hence, we propose an alternative security model for Remote Integrity Check ( ). We study a few schemes and analyze their efficiency and security. In particular, we prove the security of a proposed scheme HENC. This scheme can be deployed as a system and it also serves as an example of an effective system whose "extraction" is not verifiable. We also propose a combination of the RSA-based scheme by Filho et al. [7] and the ECC-based authenticator by Naor et al. [12], which achieves good asymptotic performance. This scheme is not a system and seems to be a secure . In-so-far, all schemes that have been proven secure can also be adopted as systems. This brings out the question of whether there are fundamental differences between the two models. To highlight the differences, we introduce a notion, trap-door compression, that captures a property on compressibility. © 2008 Springer Berlin Heidelberg.