We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widely-distributed storage system.We present two provably-secure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.

/pdf/provable-data-possession-at-untrusted-stores-2jbt1jxu32.pdf

Provable data possession at untrusted stores

We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widely-distributed storage systems. We present two provably-secure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.

/pdf/provable-data-possession-at-untrusted-stores-5ax3ivpitq.pdf

Provable Data Possession at Untrusted Stores.

Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian.In this paper a computational complexity theory of the “knowledge” contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

/pdf/the-knowledge-complexity-of-interactive-proof-systems-31apre0ecf.pdf

The knowledge complexity of interactive proof-systems

Informally, an obfuscator O is an (efficient, probabilistic) "compiler" that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is "unintelligible" in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem. Most of these applications are based on an interpretation of the "unintelligibility" condition in obfuscation as meaning that O(P) is a "virtual black box," in the sense that anything one can efficiently compute given O(P), one could also efficiently compute given oracle access to P.

In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of functions F that are inherently unobfuscatable in the following sense: there is a property π : F → {0, 1} such that (a) given any program that computes a function f ∈ F, the value π(f) can be efficiently computed, yet (b) given oracle access to a (randomly selected) function f ∈ F, no efficient algorithm can compute π(f) much better than random guessing. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC0). We also rule out several potential applications of obfuscators, by constructing "unobfuscatable" signature schemes, encryption schemes, and pseudorandom function families.

/pdf/on-the-im-possibility-of-obfuscating-programs-3jhukv9d43.pdf

On the (Im)possibility of Obfuscating Programs

Newness and distinctiveness is claimed in the features of ornamentation as shown inside the broken line circle in the accompanying representation.

Display screen or portion thereof with graphical user interface

The extensible markup language (XML) is a promising standard for describing semi-structured information and contents on the Internet. When XML comes to be a widespread data encoding format for Web applications, safeguarding the accuracy of the information represented in XML documents will be indispensable. In this paper, we propose a provisional authorization model that provides XML with sophisticated access control mechanism. The well-recognized need for such a system has only recently been addressed. Based on this authorization model, we present an XML access control language (XACL) that integrates security features such as authorization, non-repudiation, confidentiality, and an audit trail for XML documents. We describe our implementation, which can be used as an extension of a Web server for e-Business applications.

XML document security based on provisional authorization

In this paper, we construct a 3-round zero-knowledge protocol for any NP language. Goldreich and Krawczyk proved that a 3-round black-box simulation zero-knowledge protocol exists only for BPP languages. However, there is no contradiction here. That is, our proposed protocol achieves a weaker notion of zero-knowledge: auxiliary-input non-uniform zero-knowledge. Since this notion has not been investigated in the literature, we classify several zero-knowledge notions including it and discuss the relationships among them. Our main contribution is to provide a non-black-box simulation technique. It is based on a novel computational assumption related to the Diffie-Hellman problem. Although this assumption is strong and non-standard, its non-standard nature seems essential for our simulation technique.

/pdf/on-the-existence-of-3-round-zero-knowledge-protocols-329h7zmapn.pdf

On the Existence of 3-Round Zero-Knowledge Protocols

In this paper, we investigate the gap between auxiliary-input zero-knowledge (AIZK) and blackbox-simulation zero-knowledge (BSZK) It is an interesting open problem whether or not there exists a protocol which achieves AIZK, but not BSZK We show that the existence of such a protocol is closely related to the existence of secure code obfuscators A code obfuscator is used to convert a code into an equivalent one that is difficult to reverse-engineer This paper provides security definitions of code obfuscation By their definitions, it is easy to see that the existence of the gap implies the existence of a cheating verifier such that it is impossible to obfuscate any code of it Intuitively, this means that it is possible to reverse-engineer any code of such a cheating verifier Furthermore, we consider the actual behavior of such a cheating verifier In order to do so, we focus on two special cases in which the gap exists: (1) there exists a constant round public-coin AIZK interactive argument for a language outside of BPP (2) there exists a 3-round secret-coin AIZK interactive argument for a language outside of BPP In the former case, we show that it is impossible to securely obfuscate a code of a cheating verifier behaving as a pseudorandom function A similar result is shown also in the latter case Our results imply that any construction of constant round public-coin or 3-round secret-coin AIZK arguments for non-trivial languages essentially requires a computational assumption with a reverse-engineering property

/pdf/zero-knowledge-and-code-obfuscation-3dkdir69kg.pdf

Zero-Knowledge and Code Obfuscation

Enterprises collect large amounts of personal data from their customers. To ease privacy concerns, enterprises publish privacy statements that outline how data is used and shared. The Platform for Enterprise Privacy Practices (E-P3P) defines a fine-grained privacy policy model. A Chief Privacy Officer can use E-P3P to formalize the desired enterprise-internal handling of collected data. A particular data user is then allowed to use certain collected data for a given purpose if and only if the E-P3P authorization engine allows this request based on the applicable E-P3P policy. By enforcing such formalized privacy practices, E-P3P enables enterprises to keep their promises and prevent accidental privacy violations.

E-P3P privacy policies and privacy authorization

Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access control policies. However such access control policies are burdens to the engines for XML query languages. To relieve this burden, we introduce static analysis for XML access control. Given an access control policy, query expression, and an optional schema, static analysis determines if this query expression is guaranteed not to access elements or attributes that are permitted by the schema but hidden by the access control policy. Static analysis can be performed without evaluating any query expression against an actual database. Run-time checking is required only when static analysis is unable to determine whether to grant or deny access requests. A nice side-effect of static analysis is query optimization: access-denied expressions in queries can be evaluated to empty lists at compile time. We have built a prototype of static analysis for XQuery, and shown the effectiveness and scalability through experiments.

/pdf/xml-access-control-using-static-analysis-542kzdwxq1.pdf

Satoshi Hada

Papers

XML document security based on provisional authorization

On the Existence of 3-Round Zero-Knowledge Protocols

Zero-Knowledge and Code Obfuscation

E-P3P privacy policies and privacy authorization

XML access control using static analysis