Journal of Cryptology

, Volume 30, Issue 1, pp 22–57 | Cite as

Dynamic Proofs of Retrievability Via Oblivious RAM

  • David Cash
  • Alptekin Küpçü
  • Daniel Wichs


Proofs of retrievability allow a client to store her data on a remote server (e.g., “in the cloud”) and periodically execute an efficient audit protocol to check that all of the data are being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass. Starting with the work of Juels and Kaliski (CCS ’07), all prior solutions to this problem crucially assume that the client data are static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to “lose” any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient. Overcoming this limitation was left as the main open problem by all prior works. In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols are only polylogarithmic in the size of the client’s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data block are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.


Cloud storage Oblivious ram Outsourced data integrity Proof of retrievability Provable data possession 



Alptekin Küpçü would like to acknowledge the support of TÜBİTAK, the Scientific and Technological Research Council of Turkey, under project number 112E115, and European Union COST Action IC1306. David Cash and Daniel Wichs are sponsored by DARPA under agreement number FA8750-11-C-0096. The US Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the US Government. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).


  1. 1.
    G. Ateniese, R.C. Burns, R. Curtmola, J. Herring, L. Kissner, Z.N.J. Peterson, D. Song. Provable data possession at untrusted stores, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors, ACM CCS 07 (ACM Press, 2007), pp. 598–609.Google Scholar
  2. 2.
    G. Ateniese, S. Kamara, and J. Katz. Proofs of storage from homomorphic identification protocols, in M. Matsui, editor, ASIACRYPT 2009, vol. 5912 of LNCS (Springer, 2009), pp. 319–333.Google Scholar
  3. 3.
    G. Ateniese, R.D. Pietro, L.V. Mancini, G. Tsudik. Scalable and efficient provable data possession. Cryptology ePrint Archive, Report 2008/114 (2008).
  4. 4.
    M. Bellare and O. Goldreich. On defining proofs of knowledge, in E.F. Brickell, editor, CRYPTO’92, vol. 740 of LNCS (Springer, 1993), pp. 390–420.Google Scholar
  5. 5.
    M. Blum, W.S. Evans, P. Gemmell, S. Kannan, M. Naor. Checking the correctness of memories. Algorithmica, 12(2/3):225–244, (1994).MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    K. D. Bowers, A. Juels, A. Oprea. HAIL: a high-availability and integrity layer for cloud storage. in E. Al-Shaer, S. Jha, A.D. Keromytis, editors, ACM CCS 09 (ACM Press, 2009), pp. 187–198.Google Scholar
  7. 7.
    K.D. Bowers, A. Juels, A. Oprea. Proofs of retrievability: theory and implementation, in R. Sion and D. Song, editors, CCSW (ACM, 2009), pp. 43–54.Google Scholar
  8. 8.
    D. Cash, A. Küpçü, D. Wichs. Dynamic proofs of retrievability via oblivious ram, in EUROCRYPT, (2013).Google Scholar
  9. 9.
    N. Chandran, B. Kanukurthi, R. Ostrovsky. Locally updatable and locally decodable codes, in TCC, (2014).Google Scholar
  10. 10.
    B. Chen, R. Curtmola, G. Ateniese, R.C. Burns. Remote data checking for network coding-based distributed storage systems, in A. Perrig and R. Sion, editors, CCSW (ACM, 2010), pp. 31–42.Google Scholar
  11. 11.
    R. Curtmola, O. Khan, R. Burns, G. Ateniese. Mr-pdp: Multiple-replica provable data possession, in ICDCS, (2008).Google Scholar
  12. 12.
    Y. Dodis, S.P. Vadhan, D. Wichs. Proofs of retrievability via hardness amplification, in O. Reingold, editor, TCC 2009, vol. 5444 of LNCS (Springer, 2009), pp. 109–127.Google Scholar
  13. 13.
    C. Dwork, M. Naor, G.N. Rothblum, V. Vaikuntanathan. How efficient can memory checking be? in O. Reingold, editor, TCC 2009, vol. 5444 of LNCS (Springer, 2009), pp. 503–520.Google Scholar
  14. 14.
    C.C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession, in E. Al-Shaer, S. Jha, A.D. Keromytis, editors, ACM CCS 09 (ACM Press, 2009), pp. 213–222.Google Scholar
  15. 15.
    M. Etemad, A. Küpçü. Transparent, distributed, and replicated dynamic provable data possession, in ACNS (2013).Google Scholar
  16. 16.
    O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3):431–473, 1996.MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989.MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    M.T. Goodrich, M. Mitzenmacher. Privacy-preserving access of outsourced data via oblivious RAM simulation, in L. Aceto, M. Henzinger, and J. Sgall, editors, ICALP 2011, Part II, vol. 6756 of LNCS (Springer, 2011), pp. 576–587.Google Scholar
  19. 19.
    M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Oblivious RAM simulation with efficient worst-case access overhead, in CCSW (2011), pp. 95–100.Google Scholar
  20. 20.
    M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Privacy-preserving group data access via stateless oblivious ram simulation, in SODA (2012), pp. 157–167.Google Scholar
  21. 21.
    W. Hoeffding. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association, 58(301):13–30, 1963.MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    A. Juels, B.S. Kaliski Jr. Pors: proofs of retrievability for large files, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors, ACM CCS 07 (ACM Press, 2007), pp. 584–597.Google Scholar
  23. 23.
    A. Kirsch, M. Mitzenmacher, and U. Wieder. More robust hashing: Cuckoo hashing with a stash. SIAM J. Comput., 39(4):1543–1561, 2009.MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    A. Küpçü. Efficient Cryptography for the Next Generation Secure Cloud. Ph.D. thesis, Brown University (2010).Google Scholar
  25. 25.
    A. Küpçü. Efficient Cryptography for the Next Generation Secure Cloud: Protocols, Proofs, and Implementation. (Lambert Academic Publishing, 2010).Google Scholar
  26. 26.
    M. Naor, G.N. Rothblum. The complexity of online memory checking, in 46th FOCS (IEEE Computer Society Press, 2005), pp. 573–584.Google Scholar
  27. 27.
    R. Ostrovsky, V. Shoup. Private information storage (extended abstract), in 29th ACM STOC (ACM Press, 1997), pp. 294–303.Google Scholar
  28. 28.
    R. Pagh and F. F. Rodler. Cuckoo hashing. J. Algorithms, 51(2):122–144, 2004.MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    B. Pinkas, T. Reinman. Oblivious RAM revisited. In T. Rabin, editor, CRYPTO, vol. 6223 of LNCS (Springer, 2010), pp. 502–519.Google Scholar
  30. 30.
    H. Shacham, B. Waters. Compact proofs of retrievability, in J. Pieprzyk, editor, ASIACRYPT 2008, vol. 5350 of LNCS (Springer, 2008), pp. 90–107.Google Scholar
  31. 31.
    E. Shi, T.-H.H. Chan, E. Stefanov, M. Li. Oblivious ram with o((logn)3) worst-case cost, in D.H. Lee, X. Wang, editors, ASIACRYPT, vol. 7073 of Lecture Notes in Computer Science (Springer, 2011), pp. 197–214.Google Scholar
  32. 32.
    E. Shi, E. Stefanov, C. Papamanthou. Practical dynamic proofs of retrievability, in ACM CCS (2013).Google Scholar
  33. 33.
    E. Stefanov, M. van Dijk, A. Oprea, A. Juels. Iris: a scalable cloud file system with efficient integrity checks. Cryptology ePrint Archive, Report 2011/585 (2011).
  34. 34.
    E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, S. Devadas. Path oram: An extremely simple oblivious ram protocol, in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13 (2013), pp. 299–310.Google Scholar
  35. 35.
    Q. Wang, C. Wang, J. Li, K. Ren, W. Lou. Enabling public verifiability and data dynamics for storage security in cloud computing. In M. Backes, P. Ning, editors, ESORICS 2009, vol. 5789 of LNCS (Springer, 2009), pp. 355–370.Google Scholar
  36. 36.
    P. Williams, R. Sion, B. Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage, in P. Ning, P.F. Syverson, S. Jha, editors, ACM CCS 08 (ACM Press, 2008), pp. 139–148.Google Scholar
  37. 37.
    C. C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession. ACM Trans. Inf. Syst. Secur., 17(4):15, 2015.Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Rutgers UniversityNew BrunswickUSA
  2. 2.Koç UniversityİstanbulTurkey
  3. 3.Northeastern UniversityBostonUSA

Personalised recommendations