Abstract

In his well-known Information Dispersal Algorithm paper, Rabin showed a way to distribute information in n pieces among n servers in such a way that recovery of the information is possible in the presence of up to t inactive servers. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their pieces of the information, was later presented by Krawczyk. Yet, these methods assume that the malicious faults occur only at reconstruction time.

In this paper we address the more general problem of secure storage and retrieval of information (SSRI), and guarantee that also the process of storing the information is correct even when some of the servers fail. Our protocols achieve this while maintaining the (asymptotical) space optimality of the above methods.

We also consider SSRI with the added requirement of confidentiality, by which no party except for the rightful owner of the information is able to learn anything about it. This is achieved through novel applications of cryptographic techniques, such as the distributed generation of receipts, distributed key management via threshold cryptography, and “blinding”.

An interesting byproduct of our scheme is the construction of a secret sharing scheme with shorter shares size in the amortized sense. An immediate practical application of our work is a system for the secure deposit of sensitive data. We also extend SSRI to a “proactive” setting, where an adversary may corrupt all the servers during the lifetime of the system, but only a fraction during any given time interval.

Author Keywords: Information security; Information dispersal; Distributed storage; Threshold cryptography

*1 A preliminary version of this paper appeared in Proc. 11th International Workshop on Distributed Algorithms (WDAG ’97) [18].

¹ Work done while the author was at the IBM T.J. Watson Research Center.

Corresponding author; email: garay@research.bell-labs.com