nach oben

Journal of Cryptology

Erschienen in:

22.09.2015

Dynamic Proofs of Retrievability Via Oblivious RAM

verfasst von: David Cash, Alptekin Küpçü, Daniel Wichs

Erschienen in: Journal of Cryptology | Ausgabe 1/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Proofs of retrievability allow a client to store her data on a remote server (e.g., “in the cloud”) and periodically execute an efficient audit protocol to check that all of the data are being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass. Starting with the work of Juels and Kaliski (CCS ’07), all prior solutions to this problem crucially assume that the client data are static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to “lose” any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient. Overcoming this limitation was left as the main open problem by all prior works. In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols are only polylogarithmic in the size of the client’s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data block are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.

Vorheriger Artikel Weak Locking Capacity of Quantum Channels Can be Much Larger Than Private Capacity

Nächster Artikel A Full Proof of the BGW Protocol for Perfectly Secure Multiparty Computation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Some of the more advanced PoR schemes (e.g., [12, 30]) optimize the communication complexity of the audit even further by cleverly compressing the t codeword symbols and their authentication tags in the server’s response.

This requires that we can efficiently check the authenticity of the remotely stored data \(\mathbf{C }\), while supporting efficient updates on it. This problem is solved by memory checking (see our survey of related work in Sect. 1.2).

A variant of this idea was actually used by Juels and Kaliski [22] for extra efficiency in the static setting.

The above only holds when the complexity of the updates and the audit are both \(o(\sqrt{\ell })\), where \(\ell \) is the size of the data. See “Appendix 1” for a simple protocol of this form that archives square root complexity.

This is in contrast to the standard sequential operations where the client state is updated after each execution.

An alternative way to use static PDP can also achieve full security, at the cost of requiring the server to read the entire client data during an audit, but still minimizing the communication complexity. If the data are large, say 10 GB, this is vastly impractical.

This is similar to the extractor in zero-knowledge proofs of knowledge. In particular, \({\mathcal {E}}\) can execute protocols with the malicious server in its state \(\tilde{{\mathcal {S}}}_{{\textsf {fin}}}\) and rewind it back to this state at the end of the execution.

Traditionally, authenticity is not always defined/required for ORAM. However, it is crucial for our use. As noted in several prior works, it can often be added at almost no cost to efficiency. It can also be added generically by running a memory checking scheme on top of ORAM. See Sect. 6.4 for details.

We can skip this step if the client already has the value \(\mathbf{m }\) stored locally, e.g., from prior read executions.

The failure event \({\textsf {fail}}_1\) and the choice of \(\delta \) is only intended to simplify the analysis of the extractor. The only real bad event from which the extractor cannot recover is \({\textsf {fail}}_2\).

As usual, instead of actually picking and using a random function, which is an exponential task, we create random numbers whenever necessary and remember them. Since there will be only polynomially many interactions, this only requires polynomial time and space.

Here we mean actual writes on the server and not \(\mathbf{\textsf {O} }\textsf {Write}\) executions.

We suggest setting \(k = t = \lambda = 128\) and \(n = 2k = 256\).

G. Ateniese, R.C. Burns, R. Curtmola, J. Herring, L. Kissner, Z.N.J. Peterson, D. Song. Provable data possession at untrusted stores, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors, ACM CCS 07 (ACM Press, 2007), pp. 598–609.

G. Ateniese, S. Kamara, and J. Katz. Proofs of storage from homomorphic identification protocols, in M. Matsui, editor, ASIACRYPT 2009, vol. 5912 of LNCS (Springer, 2009), pp. 319–333.

G. Ateniese, R.D. Pietro, L.V. Mancini, G. Tsudik. Scalable and efficient provable data possession. Cryptology ePrint Archive, Report 2008/114 (2008). http://eprint.iacr.org/.

M. Bellare and O. Goldreich. On defining proofs of knowledge, in E.F. Brickell, editor, CRYPTO’92, vol. 740 of LNCS (Springer, 1993), pp. 390–420.

M. Blum, W.S. Evans, P. Gemmell, S. Kannan, M. Naor. Checking the correctness of memories. Algorithmica, 12(2/3):225–244, (1994).MathSciNetCrossRefMATH

K. D. Bowers, A. Juels, A. Oprea. HAIL: a high-availability and integrity layer for cloud storage. in E. Al-Shaer, S. Jha, A.D. Keromytis, editors, ACM CCS 09 (ACM Press, 2009), pp. 187–198.

K.D. Bowers, A. Juels, A. Oprea. Proofs of retrievability: theory and implementation, in R. Sion and D. Song, editors, CCSW (ACM, 2009), pp. 43–54.

D. Cash, A. Küpçü, D. Wichs. Dynamic proofs of retrievability via oblivious ram, in EUROCRYPT, (2013).

N. Chandran, B. Kanukurthi, R. Ostrovsky. Locally updatable and locally decodable codes, in TCC, (2014).

10.

B. Chen, R. Curtmola, G. Ateniese, R.C. Burns. Remote data checking for network coding-based distributed storage systems, in A. Perrig and R. Sion, editors, CCSW (ACM, 2010), pp. 31–42.

11.

R. Curtmola, O. Khan, R. Burns, G. Ateniese. Mr-pdp: Multiple-replica provable data possession, in ICDCS, (2008).

12.

Y. Dodis, S.P. Vadhan, D. Wichs. Proofs of retrievability via hardness amplification, in O. Reingold, editor, TCC 2009, vol. 5444 of LNCS (Springer, 2009), pp. 109–127.

13.

C. Dwork, M. Naor, G.N. Rothblum, V. Vaikuntanathan. How efficient can memory checking be? in O. Reingold, editor, TCC 2009, vol. 5444 of LNCS (Springer, 2009), pp. 503–520.

14.

C.C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession, in E. Al-Shaer, S. Jha, A.D. Keromytis, editors, ACM CCS 09 (ACM Press, 2009), pp. 213–222.

15.

M. Etemad, A. Küpçü. Transparent, distributed, and replicated dynamic provable data possession, in ACNS (2013).

16.

O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3):431–473, 1996.MathSciNetCrossRefMATH

17.

S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989.MathSciNetCrossRefMATH

18.

M.T. Goodrich, M. Mitzenmacher. Privacy-preserving access of outsourced data via oblivious RAM simulation, in L. Aceto, M. Henzinger, and J. Sgall, editors, ICALP 2011, Part II, vol. 6756 of LNCS (Springer, 2011), pp. 576–587.

19.

M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Oblivious RAM simulation with efficient worst-case access overhead, in CCSW (2011), pp. 95–100.

20.

M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Privacy-preserving group data access via stateless oblivious ram simulation, in SODA (2012), pp. 157–167.

21.

W. Hoeffding. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association, 58(301):13–30, 1963.MathSciNetCrossRefMATH

22.

A. Juels, B.S. Kaliski Jr. Pors: proofs of retrievability for large files, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors, ACM CCS 07 (ACM Press, 2007), pp. 584–597.

23.

A. Kirsch, M. Mitzenmacher, and U. Wieder. More robust hashing: Cuckoo hashing with a stash. SIAM J. Comput., 39(4):1543–1561, 2009.MathSciNetCrossRefMATH

24.

A. Küpçü. Efficient Cryptography for the Next Generation Secure Cloud. Ph.D. thesis, Brown University (2010).

25.

A. Küpçü. Efficient Cryptography for the Next Generation Secure Cloud: Protocols, Proofs, and Implementation. (Lambert Academic Publishing, 2010).

26.

M. Naor, G.N. Rothblum. The complexity of online memory checking, in 46th FOCS (IEEE Computer Society Press, 2005), pp. 573–584.

27.

R. Ostrovsky, V. Shoup. Private information storage (extended abstract), in 29th ACM STOC (ACM Press, 1997), pp. 294–303.

28.

R. Pagh and F. F. Rodler. Cuckoo hashing. J. Algorithms, 51(2):122–144, 2004.MathSciNetCrossRefMATH

29.

B. Pinkas, T. Reinman. Oblivious RAM revisited. In T. Rabin, editor, CRYPTO, vol. 6223 of LNCS (Springer, 2010), pp. 502–519.

30.

H. Shacham, B. Waters. Compact proofs of retrievability, in J. Pieprzyk, editor, ASIACRYPT 2008, vol. 5350 of LNCS (Springer, 2008), pp. 90–107.

31.

E. Shi, T.-H.H. Chan, E. Stefanov, M. Li. Oblivious ram with o((logn)3) worst-case cost, in D.H. Lee, X. Wang, editors, ASIACRYPT, vol. 7073 of Lecture Notes in Computer Science (Springer, 2011), pp. 197–214.

32.

E. Shi, E. Stefanov, C. Papamanthou. Practical dynamic proofs of retrievability, in ACM CCS (2013).

33.

E. Stefanov, M. van Dijk, A. Oprea, A. Juels. Iris: a scalable cloud file system with efficient integrity checks. Cryptology ePrint Archive, Report 2011/585 (2011). http://eprint.iacr.org/.

34.

E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, S. Devadas. Path oram: An extremely simple oblivious ram protocol, in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13 (2013), pp. 299–310.

35.

Q. Wang, C. Wang, J. Li, K. Ren, W. Lou. Enabling public verifiability and data dynamics for storage security in cloud computing. In M. Backes, P. Ning, editors, ESORICS 2009, vol. 5789 of LNCS (Springer, 2009), pp. 355–370.

36.

P. Williams, R. Sion, B. Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage, in P. Ning, P.F. Syverson, S. Jha, editors, ACM CCS 08 (ACM Press, 2008), pp. 139–148.

37.

C. C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession. ACM Trans. Inf. Syst. Secur., 17(4):15, 2015.

Titel: Dynamic Proofs of Retrievability Via Oblivious RAM
verfasst von: David Cash
Alptekin Küpçü
Daniel Wichs
Publikationsdatum: 22.09.2015
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 1/2017
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-015-9216-2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2017

An Algebraic Framework for Diffie–Hellman Assumptions

Obfuscating Conjunctions

Non-malleable Coding Against Bit-Wise and Split-State Tampering

Weak Locking Capacity of Quantum Channels Can be Much Larger Than Private Capacity

Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier

A Full Proof of the BGW Protocol for Perfectly Secure Multiparty Computation

Premium Partner