International Association for Cryptologic Research (IACR)
Abstract
We introduce a model for {\em provable data possession} (\pdp)
that allows a client that has stored data at an untrusted server to
verify that the server possesses the original data without
retrieving it. The model generates probabilistic proofs of
possession by sampling random sets of blocks from the server, which
drastically reduces I/O costs. The client maintains a constant
amount of metadata to verify the proof. The challenge/response
protocol transmits a small, constant amount of data, which minimizes
network communication. Thus, the \pdp model for remote data
checking supports large data sets in widely-distributed storage
systems. Previous work offers guarantees weaker than data
possession, or requires prohibitive overhead at the server.
We present two provably-secure \pdp schemes that are more
efficient than previous solutions, even when compared with schemes
that achieve weaker guarantees. In particular, the overhead at the
server is low (or even constant), as opposed to linear in the size
of the data. Experiments using our implementation verify the
practicality of \pdp and reveal that the performance of \pdp is
bounded by disk I/O and not by cryptographic computation