#### DMCA

## Proofs of Storage from Homomorphic Identification Protocols

### Cached

### Download Links

Citations: | 65 - 3 self |

### Citations

355 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ... accepts then the prover indeed has (sufficient information to recover) the entire original file ⃗ f. As noted in [1, 11, 14, 5], soundness can be formalized using the notion of a knowledge extractor =-=[7, 3]-=-. As in [5], we phrase our definition using the paradigm of “witness-extended emulation” [12]. Definition 2.6 (Security for a publicly-verifiable PoS). Let Π = (Gen, Encode, Prove, Vrfy) be a publicly... |

273 | D.: Provable Data Possession at Untrusted Stores
- Ateniese, Burns, et al.
- 2007
(Show Context)
Citation Context ...ot to notify the client. Exacerbating the problem (and precluding naïve approaches) are factors such as limited bandwidth between the client and server, as well as the client’s limited resources. See =-=[1, 11]-=- for a more thorough discussion. If we allow communication complexity linear in ⃗ f, there is a simple mechanism allowing the client to verify that the server stores ⃗ f at any given time: When the cl... |

231 | PORs: Proofs of Retrievability for Large Files
- Juels, Burton, et al.
- 2007
(Show Context)
Citation Context ...ot to notify the client. Exacerbating the problem (and precluding naïve approaches) are factors such as limited bandwidth between the client and server, as well as the client’s limited resources. See =-=[1, 11]-=- for a more thorough discussion. If we allow communication complexity linear in ⃗ f, there is a simple mechanism allowing the client to verify that the server stores ⃗ f at any given time: When the cl... |

218 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing Both Transmission and Memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...cation protocol that is suitably homomorphic. The RSA-based HLA used by Ateniese et al. [1] (see also [14, Appendix E]) can be viewed as an instance of our mechanism applied to the Guillou-Quisquater =-=[10]-=- identification protocol; similarly, the Shacham-Waters scheme [14] can be seen as being derived from an underlying identification protocol in bilinear groups. By applying our transformation to a vari... |

180 | Compact Proofs of Retrievability
- Shacham, Waters
- 2008
(Show Context)
Citation Context ...s a key) can verify the server’s storage, and public verifiability, where anyone knowing the client’s public key can perform verification. Extensions and improvements were given by Shacham and Waters =-=[14]-=-, Dodis, Vadhan, and Wichs [5], and Bowers, Juels, and Oprea [4]. We refer to [5] for a more detailed comparison among the existing schemes. Here, we are interested in publicly-verifiable schemes that... |

162 | How to Construct Constant-Round Zero-Knowledge Proof Systems for NP
- Goldreich, Kahan
- 1996
(Show Context)
Citation Context ...ted polynomial time. Proof. If p∗ = 0 then it is clear that K runs in expected polynomial time. So assume p∗ > 0. We must then analyze the expected running time of the extraction procedure, following =-=[8, 12]-=-. Steps 1 and 4 take strict polynomial time. The expected running time of step 2 is exactly (some polynomial times) q(k)/p∗ . As for step 3, there are two cases: If ˜p ∗ ≤ p∗ /2, then the only thing w... |

145 | G.: Scalable and Efficient Provable Data Possession - Ateniese, Pietro, et al. - 2008 |

112 | R.: Dynamic Provable Data Possession - Erway, Kupcu, et al. |

82 | D.: Proofs of Retrievability via Hardness Amplification
- Dodis, Vadhan, et al.
(Show Context)
Citation Context ...s storage, and public verifiability, where anyone knowing the client’s public key can perform verification. Extensions and improvements were given by Shacham and Waters [14], Dodis, Vadhan, and Wichs =-=[5]-=-, and Bowers, Juels, and Oprea [4]. We refer to [5] for a more detailed comparison among the existing schemes. Here, we are interested in publicly-verifiable schemes that can be used for an unbounded ... |

77 | A verifiable secret shuffle of homomorphic encryptions
- Groth
- 2003
(Show Context)
Citation Context ...r simplicity that no st ∈ {0, 1} is chosen twice throughout the experiment, since this occurs with only negligible probability. 4 A similar approach, based on pseudorandom generators, was proposed in =-=[9]-=- in the context of verifiable shuffles. 8Let Λ = (Gen, Tag, Auth, Vrfy) be a public-key HLA, and let F be a pseudorandom function. Construct a publicly-verifiable PoS Π = (Gen, Encode, Prove, Vrfy) a... |

76 | Parallel coin-tossing and constant-round secure two-party computation
- Lindell
(Show Context)
Citation Context ...e ⃗ f. As noted in [1, 11, 14, 5], soundness can be formalized using the notion of a knowledge extractor [7, 3]. As in [5], we phrase our definition using the paradigm of “witness-extended emulation” =-=[12]-=-. Definition 2.6 (Security for a publicly-verifiable PoS). Let Π = (Gen, Encode, Prove, Vrfy) be a publicly-verifiable PoS. Π is secure if there is an expected polynomial-time knowledge extractor K su... |

58 | Proofs of retrievability: Theory and implementation
- Bowers, Juels, et al.
(Show Context)
Citation Context ...y, where anyone knowing the client’s public key can perform verification. Extensions and improvements were given by Shacham and Waters [14], Dodis, Vadhan, and Wichs [5], and Bowers, Juels, and Oprea =-=[4]-=-. We refer to [5] for a more detailed comparison among the existing schemes. Here, we are interested in publicly-verifiable schemes that can be used for an unbounded number of verifications. A useful ... |

52 | The Complexity of Online Memory Checking
- Naor, Rothblum
- 2005
(Show Context)
Citation Context ...NSF grant #0426683. 1Ateniese et al. [1] and Juels and Kaliski [11] independently introduced approaches to this problem having sub-linear communication complexity. (Earlier work by Naor and Rothblum =-=[13]-=- is related, but considers a somewhat weaker adversarial model.) Ateniese et al. also distinguish between the case of private verifiability, where only the original client (or anyone with whom that cl... |

22 | On the security of a practical identification scheme
- Shoup
(Show Context)
Citation Context ...egligible probability. This concludes the proof of Theorem 4.1. 5 A Concrete Instantiation Based on Factoring In this section we describe a homomorphic variant of the identification protocol of Shoup =-=[15]-=-, whose security is based on the hardness of factoring. Together with the transformations described in the previous sections, this yields a factoring-based PoS in the random oracle model. Protocol ΣSh... |