Dynamic Proofs of Retrievability via Oblivious RAM

  • David Cash
  • Alptekin Küpçü
  • Daniel Wichs
Conference paper

DOI: 10.1007/978-3-642-38348-9_17

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)
Cite this paper as:
Cash D., Küpçü A., Wichs D. (2013) Dynamic Proofs of Retrievability via Oblivious RAM. In: Johansson T., Nguyen P.Q. (eds) Advances in Cryptology – EUROCRYPT 2013. EUROCRYPT 2013. Lecture Notes in Computer Science, vol 7881. Springer, Berlin, Heidelberg


Proofs of retrievability allow a client to store her data on a remote server (eg., “in the cloud”) and periodically execute an efficient audit protocol to check that all of the data is being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass.

Starting with the work of Juels and Kaliski (CCS ’07), all prior solutions require that the client data is static and do not allow it to be efficiently updated. Indeed, they store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to ‘lose’ any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient.

In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can also execute an audit protocol to ensure that the server maintains the latest version of its data. The computation and communication complexity of the server and client in our protocols is only polylogarithmic in the size of the data. Our main idea is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols are stored on the server and when they are being accessed by the client, using the techniques of oblivious RAM.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • David Cash
    • 1
  • Alptekin Küpçü
    • 2
  • Daniel Wichs
    • 3
  1. 1.Rutgers UniversityUSA
  2. 2.Koç UniversityTurkey
  3. 3.Northeastern UniversityUSA

Personalised recommendations