Integrity Auditing of Outsourced Data ∗ Min Xie † Haixun Wang ‡ † Renmin University of China Beijing 100872, China {xiemin,xfmeng}@ruc.edu.cn Jian Yin ‡ Xiaofeng Meng † ‡ IBM T. J. Watson Research Center Hawthorne, NY 10532, USA {haixun,jianyin}@us.ibm.com ABSTRACT An increasing number of enterprises outsource their IT services to third parties who can offer these services for a much lower cost due to economy of scale. Quality of service is a major concern in outsourcing. In particular, query integrity, which means that query results returned by the service provider are both correct and com- plete, must be assured. Previous work requires clients to manage data locally to audit the results sent back by the server, or database engine to be modified for generating authenticated results. In this paper, we introduce a novel integrity audit mechanism that elimi- nating these costly requirements. In our approach, we insert a small amount of records into an outsourced database so that the integrity of the system can be effectively audited by analyzing the inserted records in the query results. We study both randomized and de- terministic approaches for generating the inserted records, as how these records are generated has significant implications for storage and performance. Furthermore, we show that our method is prov- able secure, which means it can withstand any attacks by an ad- versary whose computation power is bounded. Our analytical and empirical results demonstrate the effectiveness of our method. 1. INTRODUCTION Recent advance of network technology allows an increasing num- ber of enterprises to outsource their IT functions or business pro- cesses to third parties that can provide these services for a much lower cost due to economy of scale. According to a recent sur- vey, IT outsourcing has grown by a staggering 79% as companies seek to reduce costs and focus on their core competencies. Data processing service outsourcing is a major component as most of IT functions evolve around data processing. Security is essential for outsourced data processing services. Be- cause a third party service provider may not be trusted or may not ∗ This research was partially supported by the grants from the Nat- ural Science Foundation of China under grant number 60573091; Natural Science Foundation of Beijing under grant number 4073035; China National Basic Research and Development Pro- gram Project (No. 2003CB317000); Program for New Century Ex- cellent Talents in University(NCET). Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the VLDB copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Very Large Data Base Endowment. To copy otherwise, or to republish, to post on servers or to redistribute to lists, requires a fee and/or special permission from the publisher, ACM. VLDB ‘07, September 23-28, 2007, Vienna, Austria. Copyright 2007 VLDB Endowment, ACM 978-1-59593-649-3/07/09. be securely administrated, security properties must be assured at the infrastructure level. In this paper, we focus on mechanisms that provide security assurance for database services offered by third parties. Problem Setting. In the database outsourcing scenario, the database owner stores data at a service provider, and the clients send queries to the service provider (Figure 1). We assume data and commu- nication are encrypted, the database system at the service provider supports query processing over encrypted data, and the problem of data privacy has been taken care of [5, 16]. Figure 1: System Model In addition to data privacy, an important security concern in the database outsourcing paradigm is integrity [11, 12, 15, 9]. When a client receives a query result from the service provider, he wants to be assured that the result is both correct and complete, where correct means that the result must originate in the owner’s data and has not been tampered with, and complete means that the result includes all records satisfying the query. The goal of this paper is to provide a simple and elegant protocol to monitor the integrity of outsourced database services. Providing integrity assurance is a new and challenging task. Tra- ditional DBMSs do not have this issue because in-house data pro- cessing is always trusted. Current approaches for this problem re- quire either changes to be made in DBMS kernels, or a significant subset of the data to be stored locally at the client site. Both of the approaches are costly, hard to implement, and ineffective at least in some scenarios. Particularly, a severe challenge is triggered by a rising trend in mobile computing – more and more clients are accessing database services from such devices as PDAs and cell phones, which have limited storage capacity and processing power. Thus, a protocol for integrity assurance needs to impose little stor- age or computation overhead in the client side. 782