Dynamic Proofs of Retrievability Via Oblivious RAM

Proofs of retrievability allow a client to store her data on a remote server (e.g., “in the cloud”) and periodically execute an efficient audit protocol to check that all of the data are being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass. Starting with the work of Juels and Kaliski (CCS ’07), all prior solutions to this problem crucially assume that the client data are static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to “lose” any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient. Overcoming this limitation was left as the main open problem by all prior works. In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols are only polylogarithmic in the size of the client’s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data block are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.

[1]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[2]  Peter Williams,et al.  Building castles out of mud: practical access pattern privacy and correctness on untrusted storage , 2008, CCS.

[3]  Alptekin Küpçü,et al.  Transparent, Distributed, and Replicated Dynamic Provable Data Possession , 2013, ACNS.

[4]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[5]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[6]  Jonathan Katz,et al.  Proofs of Storage from Homomorphic Identification Protocols , 2009, ASIACRYPT.

[7]  Reza Curtmola,et al.  MR-PDP: Multiple-Replica Provable Data Possession , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[8]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[9]  Benny Pinkas,et al.  Oblivious RAM Revisited , 2010, CRYPTO.

[10]  Cong Wang,et al.  Enabling Public Verifiability and Data Dynamics for Storage Security in Cloud Computing , 2009, ESORICS.

[11]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[12]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[13]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[14]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[15]  Michael Mitzenmacher,et al.  More Robust Hashing: Cuckoo Hashing with a Stash , 2008, ESA.

[16]  Rafail Ostrovsky,et al.  Private information storage (extended abstract) , 1997, STOC '97.

[17]  Marten van Dijk,et al.  Iris: a scalable cloud file system with efficient integrity checks , 2012, ACSAC '12.

[18]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[19]  Michael T. Goodrich,et al.  Privacy-preserving group data access via stateless oblivious RAM simulation , 2011, SODA.

[20]  Rasmus Pagh,et al.  Cuckoo Hashing , 2001, Encyclopedia of Algorithms.

[21]  Rafail Ostrovsky,et al.  Locally Updatable and Locally Decodable Codes , 2014, TCC.

[22]  Alptekin Küpçü,et al.  Efficient Cryptography for the Next Generation Secure Cloud , 2010 .

[23]  Moni Naor,et al.  How Efficient Can Memory Checking Be? , 2009, TCC.

[24]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[25]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[26]  Michael T. Goodrich,et al.  Oblivious RAM simulation with efficient worst-case access overhead , 2011, CCSW '11.

[27]  Elaine Shi,et al.  Practical dynamic proofs of retrievability , 2013, CCS.

[28]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[29]  Ari Juels,et al.  Proofs of retrievability: theory and implementation , 2009, CCSW '09.

[30]  David Cash,et al.  Dynamic Proofs of Retrievability via Oblivious RAM , 2013, EUROCRYPT.

[31]  Roberto Di Pietro,et al.  Scalable and efficient provable data possession , 2008, IACR Cryptol. ePrint Arch..

[32]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[33]  Reza Curtmola,et al.  Remote data checking for network coding-based distributed storage systems , 2010, CCSW '10.

[34]  Moni Naor,et al.  The complexity of online memory checking , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).