# Dynamic Proofs of Retrievability Via Oblivious RAM

## Abstract

Proofs of retrievability allow a client to store her data on a remote server (e.g., “in the cloud”) and periodically execute an efficient *audit* protocol to check that all of the data are being maintained correctly and can be recovered from the server. For efficiency, the *computation* and *communication* of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must *maintain full knowledge of all client data* to be able to pass. Starting with the work of Juels and Kaliski (CCS ’07), all prior solutions to this problem crucially assume that the client data are *static* and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to “lose” any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient. Overcoming this limitation was left as the main open problem by all prior works. In this work, we give the first solution providing proofs of retrievability for *dynamic* storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the *latest version* of the client data. The computation and communication complexity of the server and client in our protocols are only *polylogarithmic* in the size of the client’s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data block are stored on the server and when they are being accessed by the client, using the algorithmic techniques of *oblivious RAM*.

## Keywords

Cloud storage Oblivious ram Outsourced data integrity Proof of retrievability Provable data possession## Notes

### Acknowledgments

Alptekin Küpçü would like to acknowledge the support of TÜBİTAK, the Scientific and Technological Research Council of Turkey, under project number 112E115, and European Union COST Action IC1306. David Cash and Daniel Wichs are sponsored by DARPA under agreement number FA8750-11-C-0096. The US Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the US Government. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).

## References

- 1.G. Ateniese, R.C. Burns, R. Curtmola, J. Herring, L. Kissner, Z.N.J. Peterson, D. Song. Provable data possession at untrusted stores, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors,
*ACM CCS 07*(ACM Press, 2007), pp. 598–609.Google Scholar - 2.G. Ateniese, S. Kamara, and J. Katz. Proofs of storage from homomorphic identification protocols, in M. Matsui, editor,
*ASIACRYPT 2009*, vol. 5912 of*LNCS*(Springer, 2009), pp. 319–333.Google Scholar - 3.G. Ateniese, R.D. Pietro, L.V. Mancini, G. Tsudik. Scalable and efficient provable data possession. Cryptology ePrint Archive, Report 2008/114 (2008). http://eprint.iacr.org/.
- 4.M. Bellare and O. Goldreich. On defining proofs of knowledge, in E.F. Brickell, editor,
*CRYPTO’92*, vol. 740 of*LNCS*(Springer, 1993), pp. 390–420.Google Scholar - 5.M. Blum, W.S. Evans, P. Gemmell, S. Kannan, M. Naor. Checking the correctness of memories.
*Algorithmica*, 12(2/3):225–244, (1994).MathSciNetCrossRefMATHGoogle Scholar - 6.K. D. Bowers, A. Juels, A. Oprea. HAIL: a high-availability and integrity layer for cloud storage. in E. Al-Shaer, S. Jha, A.D. Keromytis, editors,
*ACM CCS 09*(ACM Press, 2009), pp. 187–198.Google Scholar - 7.K.D. Bowers, A. Juels, A. Oprea. Proofs of retrievability: theory and implementation, in R. Sion and D. Song, editors,
*CCSW*(ACM, 2009), pp. 43–54.Google Scholar - 8.D. Cash, A. Küpçü, D. Wichs. Dynamic proofs of retrievability via oblivious ram, in
*EUROCRYPT*, (2013).Google Scholar - 9.N. Chandran, B. Kanukurthi, R. Ostrovsky. Locally updatable and locally decodable codes, in
*TCC*, (2014).Google Scholar - 10.B. Chen, R. Curtmola, G. Ateniese, R.C. Burns. Remote data checking for network coding-based distributed storage systems, in A. Perrig and R. Sion, editors,
*CCSW*(ACM, 2010), pp. 31–42.Google Scholar - 11.R. Curtmola, O. Khan, R. Burns, G. Ateniese. Mr-pdp: Multiple-replica provable data possession, in
*ICDCS*, (2008).Google Scholar - 12.Y. Dodis, S.P. Vadhan, D. Wichs. Proofs of retrievability via hardness amplification, in O. Reingold, editor,
*TCC 2009*, vol. 5444 of*LNCS*(Springer, 2009), pp. 109–127.Google Scholar - 13.C. Dwork, M. Naor, G.N. Rothblum, V. Vaikuntanathan. How efficient can memory checking be? in O. Reingold, editor,
*TCC 2009*, vol. 5444 of*LNCS*(Springer, 2009), pp. 503–520.Google Scholar - 14.C.C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession, in E. Al-Shaer, S. Jha, A.D. Keromytis, editors,
*ACM CCS 09*(ACM Press, 2009), pp. 213–222.Google Scholar - 15.M. Etemad, A. Küpçü. Transparent, distributed, and replicated dynamic provable data possession, in
*ACNS*(2013).Google Scholar - 16.O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs.
*Journal of the ACM*, 43(3):431–473, 1996.MathSciNetCrossRefMATHGoogle Scholar - 17.S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems.
*SIAM Journal on Computing*, 18(1):186–208, 1989.MathSciNetCrossRefMATHGoogle Scholar - 18.M.T. Goodrich, M. Mitzenmacher. Privacy-preserving access of outsourced data via oblivious RAM simulation, in L. Aceto, M. Henzinger, and J. Sgall, editors,
*ICALP 2011, Part II*, vol. 6756 of*LNCS*(Springer, 2011), pp. 576–587.Google Scholar - 19.M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Oblivious RAM simulation with efficient worst-case access overhead, in
*CCSW*(2011), pp. 95–100.Google Scholar - 20.M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia. Privacy-preserving group data access via stateless oblivious ram simulation, in
*SODA*(2012), pp. 157–167.Google Scholar - 21.W. Hoeffding. Probability inequalities for sums of bounded random variables.
*Journal of the American Statistical Association*, 58(301):13–30, 1963.MathSciNetCrossRefMATHGoogle Scholar - 22.A. Juels, B.S. Kaliski Jr. Pors: proofs of retrievability for large files, in P. Ning, S.D.C. di Vimercati, P.F. Syverson, editors,
*ACM CCS 07*(ACM Press, 2007), pp. 584–597.Google Scholar - 23.A. Kirsch, M. Mitzenmacher, and U. Wieder. More robust hashing: Cuckoo hashing with a stash.
*SIAM J. Comput.*, 39(4):1543–1561, 2009.MathSciNetCrossRefMATHGoogle Scholar - 24.A. Küpçü.
*Efficient Cryptography for the Next Generation Secure Cloud*. Ph.D. thesis, Brown University (2010).Google Scholar - 25.A. Küpçü.
*Efficient Cryptography for the Next Generation Secure Cloud: Protocols, Proofs, and Implementation*. (Lambert Academic Publishing, 2010).Google Scholar - 26.M. Naor, G.N. Rothblum. The complexity of online memory checking, in
*46th FOCS*(IEEE Computer Society Press, 2005), pp. 573–584.Google Scholar - 27.R. Ostrovsky, V. Shoup. Private information storage (extended abstract), in
*29th ACM STOC*(ACM Press, 1997), pp. 294–303.Google Scholar - 28.R. Pagh and F. F. Rodler. Cuckoo hashing.
*J. Algorithms*, 51(2):122–144, 2004.MathSciNetCrossRefMATHGoogle Scholar - 29.B. Pinkas, T. Reinman. Oblivious RAM revisited. In T. Rabin, editor,
*CRYPTO*, vol. 6223 of*LNCS*(Springer, 2010), pp. 502–519.Google Scholar - 30.H. Shacham, B. Waters. Compact proofs of retrievability, in J. Pieprzyk, editor,
*ASIACRYPT 2008*, vol. 5350 of*LNCS*(Springer, 2008), pp. 90–107.Google Scholar - 31.E. Shi, T.-H.H. Chan, E. Stefanov, M. Li. Oblivious ram with o((logn)3) worst-case cost, in D.H. Lee, X. Wang, editors,
*ASIACRYPT*, vol. 7073 of*Lecture Notes in Computer Science*(Springer, 2011), pp. 197–214.Google Scholar - 32.E. Shi, E. Stefanov, C. Papamanthou. Practical dynamic proofs of retrievability, in
*ACM CCS*(2013).Google Scholar - 33.E. Stefanov, M. van Dijk, A. Oprea, A. Juels. Iris: a scalable cloud file system with efficient integrity checks. Cryptology ePrint Archive, Report 2011/585 (2011). http://eprint.iacr.org/.
- 34.E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, S. Devadas. Path oram: An extremely simple oblivious ram protocol, in
*Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security*, CCS ’13 (2013), pp. 299–310.Google Scholar - 35.Q. Wang, C. Wang, J. Li, K. Ren, W. Lou. Enabling public verifiability and data dynamics for storage security in cloud computing. In M. Backes, P. Ning, editors,
*ESORICS 2009*, vol. 5789 of*LNCS*(Springer, 2009), pp. 355–370.Google Scholar - 36.P. Williams, R. Sion, B. Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage, in P. Ning, P.F. Syverson, S. Jha, editors,
*ACM CCS 08*(ACM Press, 2008), pp. 139–148.Google Scholar - 37.C. C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. Dynamic provable data possession.
*ACM Trans. Inf. Syst. Secur.*, 17(4):15, 2015.Google Scholar