Skip to main content
SpringerLink
Log in

Forward Secret Encrypted RAM: Lower Bounds and Applications

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13044))

Included in the following conference series:

Abstract

In this paper, we study forward secret encrypted RAMs (FS eRAMs) which enable clients to outsource the storage of an n-entry array to a server. In the case of a catastrophic attack where both client and server storage are compromised, FS eRAMs guarantee that the adversary may not recover any array entries that were deleted or overwritten prior to the attack. A simple folklore FS eRAM construction with \(O(\log n)\) overhead has been known for at least two decades. Unfortunately, no progress has been made since then. We show the lack of progress is fundamental by presenting an \(\varOmega (\log n)\) lower bound for FS eRAMs proving that the folklore solution is optimal. To do this, we introduce the symbolic model for proving cryptographic data structures lower bounds that may be of independent interest.

Given this limitation, we investigate applications where forward secrecy may be obtained without the additional \(O(\log n)\) overhead. We show this is possible for oblivious RAMs, memory checkers, and multicast encryption by incorporating the ideas of the folklore FS eRAM solution into carefully chosen constructions of the corresponding primitives.

The full version [5] is available as entry 2021/244 in the IACR eprint archive.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In both cases, for online MCs that access the remote storage in a deterministic and non-adaptive manner. Online MCs report any inauthentic retrieval from the server immediately, as opposed to after a long sequence of retrievals. Recall that the folklore FS eRAM construction also makes deterministic, non-adaptive accesses.

  2. 2.

    In the full version [5], we briefly compare ME with a harder setting called Continuous Group Key Agreement.

  3. 3.

    The model is also related to that of automated protocol verification (see e.g., [25]).

  4. 4.

    Every cell of \(\mathtt {Sec}\) and \(\mathtt {Pub}\) initially contains the special empty symbol \(\bot \).

  5. 5.

    All set operations specified in the definitions of \(\mathtt {Pub}(\widetilde{D}_t)\), \(\mathtt {Sec}(\widetilde{D}_t)\), \( Prev (\mathtt {D}_t)\), and the remainder of the proof are taken with respect to the sets containing the unique elements of the corresponding operands, ignoring cells with \(\bot \). We may in fact directly refer to these defined arrays as sets in the remainder. While such definitions will not consider duplicate cells, our lower bound proof will not have to take into account the number of duplicates.

  6. 6.

    Condition \(\mathtt {D}_t[i]\in Rec (\mathtt {Sec}_t\cup \mathtt {Pub}_t)\) forces \(\varPi \) to be a proper symbolic construction.

  7. 7.

    Note that we do not say \(c\not \in Rec (\mathtt {Sec}_{t}\cup \mathtt {Pub}(\widetilde{\mathtt {D}}_t))\), since for our lower bound we want to only count those strings that were actually stored in some secret cell and are erased at some time. Also, as will be seen later, it must be that for any such string that we count in our lower bound, it must further be that \(c\not \in Rec (\mathtt {Sec}_{t}\cup \mathtt {Pub}(\widetilde{\mathtt {D}}_t))\).

  8. 8.

    This is the case in which \(c'\) is recovered through secret share reconstruction (using \(\mathsf {C}''\cup \mathsf {C}'''\)), decryption (using keys of \(C_e\) and possibly some that can be recovered using only \(\mathtt {Pub}(\widetilde{\mathtt {D}}_t)\), along with \(\mathsf {C}''\cup \mathsf {C}'''\)), or possibly a combination of both.

  9. 9.

    To be fair, we note that these works appeared before recent developments leading to \(O(\log n)\) overhead ORAMs [1, 32].

  10. 10.

    Although the solution of [38] informally provides the same guarantees with a similar construction, we provide a complete formal model and construction.

  11. 11.

    For online MCs that access server memory deterministically and non-adaptively.

  12. 12.

    While our definition is not fully general, i.e., does not allow for arbitrary interaction between the FS MC and server, it suffices for our optimal construction.

References

  1. Asharov, G., Komargodski, I., Lin, W.-K., Nayak, K., Peserico, E., Shi, E.: OptORAMa: optimal oblivious RAM. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 403–432. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_14

    Chapter  Google Scholar 

  2. Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 117–150. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17656-3_5

  3. Bajaj, S., Sion, R.: Ficklebase: looking into the future to erase the past. In: 2013 IEEE 29th International Conference on Data Engineering (ICDE), pp. 86–97. IEEE (2013)

    Google Scholar 

  4. Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 198–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_8

    Chapter  Google Scholar 

  5. Bienstock, A., Dodis, Y., Yeo, K.: Forward secret encrypted ram: lower bounds and applications. Cryptology ePrint Archive, Report 2021/244 (2021). https://eprint.iacr.org/2021/244

  6. Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: 32nd FOCS, pp. 90–99. IEEE Computer Society Press, San Juan (1991)

    Google Scholar 

  7. Boneh, D., Lipton, R.J.: A revocable backup system. In: USENIX Security Symposium, pp. 91–96 (1996)

    Google Scholar 

  8. Boyle, E., Naor, M.: Is there an oblivious ram lower bound? In: Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, pp. 357–368 (2016)

    Google Scholar 

  9. Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM ’99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320), vol. 2, pp. 708–716 (1999)

    Google Scholar 

  10. Canetti, R., Raghuraman, S., Richelson, S., Vaikuntanathan, V.: Chosen-ciphertext secure fully homomorphic encryption. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 213–240. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_8

    Chapter  Google Scholar 

  11. Clarke, D.E., Suh, G.E., Gassend, B., Sudan, A., van Dijk, M., Devadas, S.: Towards constant bandwidth overhead integrity checking of untrusted data. In: 2005 IEEE Symposium on Security and Privacy, pp. 139–153. IEEE Computer Society Press, Oakland (2005)

    Google Scholar 

  12. Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, pp. 1115–1127. ACM Press, Cambridge (2016)

    Google Scholar 

  13. Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-78372-7_14

  14. Di Crescenzo, G., Ferguson, N., Impagliazzo, R., Jakobsson, M.: How to forget a secret. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 500–509. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_47

    Chapter  Google Scholar 

  15. Dwork, C., Naor, M., Rothblum, G.N., Vaikuntanathan, V.: How efficient can memory checking be? In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 503–520. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_30

    Chapter  Google Scholar 

  16. Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: Increasing data privacy with self-destructing data. In: USENIX Security Symposium, vol. 316 (2009)

    Google Scholar 

  17. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM (JACM) 43(3), 431–473 (1996)

    Article  MathSciNet  Google Scholar 

  18. Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22012-8_46

    Chapter  Google Scholar 

  19. Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, pp. 305–320. IEEE Computer Society Press, San Jose (2015)

    Google Scholar 

  20. Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_18

    Chapter  Google Scholar 

  21. Harney, H., Muckenhirn, C.: Rfc2093: group key management protocol (gkmp) specification (1997)

    Google Scholar 

  22. Harney, H., Muckenhirn, C.: Rfc2094: Group key management protocol (gkmp) architecture (1997)

    Google Scholar 

  23. Hubáček, P., Koucký, M., Král, K., Slívová, V.: Stronger lower bounds for online ORAM. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 264–284. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_10

    Chapter  Google Scholar 

  24. Jacob, R., Larsen, K.G., Nielsen, J.B.: Lower bounds for oblivious data structures. In: Proceedings of the Thirtieth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 2439–2447. SIAM (2019)

    Google Scholar 

  25. Kobeissi, N., Nicolas, G., Bhargavan, K.: Noise explorer: fully automated modeling and verification for arbitrary noise protocols. In: 2019 IEEE European Symposium on Security and Privacy (EuroS P), pp. 356–370 (2019)

    Google Scholar 

  26. Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound! In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_18

    Chapter  Google Scholar 

  27. Larsen, K.G., Simkin, M., Yeo, K.: Lower bounds for multi-server oblivious rams. Theory of Cryptography Conference (to appear) (2020)

    Google Scholar 

  28. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  29. Micciancio, D., Panjwani, S.: Optimal communication complexity of generic multicast key distribution. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 153–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_10

    Chapter  Google Scholar 

  30. Mittra, S.: Iolus: a framework for scalable secure multicasting. In: Proceedings of the ACM SIGCOMM ’97 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’97, pp. 277–288. Association for Computing Machinery, New York (1997). https://doi.org/10.1145/263105.263179

  31. Oprea, A., Reiter, M.K.: Integrity checking in cryptographic file systems with constant trusted storage. In: Provos, N. (ed.) USENIX Security 2007, pp. 6–10. USENIX Association, Boston (2007)

    Google Scholar 

  32. Patel, S., Persiano, G., Raykova, M., Yeo, K.: Panorama: oblivious ram with logarithmic overhead. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 871–882. IEEE (2018)

    Google Scholar 

  33. Patel, S., Persiano, G., Yeo, K.: Lower bounds for encrypted multi-maps and searchable encryption in the leakage cell probe model. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 433–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_15

    Chapter  Google Scholar 

  34. Persiano, G., Yeo, K.: Lower bounds for differentially private RAMs. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 404–434. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_14

    Chapter  Google Scholar 

  35. Peterson, Z.N., Burns, R.C., Herring, J., Stubblefield, A., Rubin, A.D.: Secure deletion for a versioning file system. In: FAST, vol. 5 (2005)

    Google Scholar 

  36. Pinkas, B., Reinman, T.: Oblivious RAM revisited. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 502–519. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_27

    Chapter  Google Scholar 

  37. Reardon, J., Basin, D., Capkun, S.: Sok: secure data deletion. In: 2013 IEEE Symposium on Security and Privacy, pp. 301–315. IEEE (2013)

    Google Scholar 

  38. Reardon, J., Ritzdorf, H., Basin, D., Capkun, S.: Secure data deletion from persistent media. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 271–284 (2013)

    Google Scholar 

  39. Roche, D.S., Aviv, A., Choi, S.G.: A practical oblivious map data structure with secure deletion and history independence. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 178–197. IEEE (2016)

    Google Scholar 

  40. Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd ACM STOC, pp. 387–394. ACM Press, Baltimore (1990)

    Google Scholar 

  41. Sherman, A.T., McGrew, D.A.: Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng. 29(5), 444–458 (2003)

    Article  Google Scholar 

  42. Stefanov, E., Van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path oram: an extremely simple oblivious ram protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 299–310 (2013)

    Google Scholar 

  43. Sun, S.-F., Sakzad, A., Steinfeld, R., Liu, J.K., Gu, D.: Public-key puncturable encryption: modular and compact constructions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 309–338. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_11

    Chapter  Google Scholar 

  44. Susilo, W., Duong, D.H., Le, H.Q., Pieprzyk, J.: Puncturable encryption: a generic construction from delegatable fully key-homomorphic encryption. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 107–127. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_6

    Chapter  Google Scholar 

  45. Wallner, D., Harder, E., Agee, R.: Rfc2627: Key management for multicast: issues and architectures (1999)

    Google Scholar 

  46. Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. In: Proceedings of the ACM SIGCOMM ’98 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’98, pp. 68–79. Association for Computing Machinery, New York (1998). https://doi.org/10.1145/285237.285260

  47. Yao, A.C.C.: Should tables be sorted? J. ACM (JACM) 28(3), 615–628 (1981)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. New York University, New York City, USA

    Alexander Bienstock & Yevgeniy Dodis

  2. Google, Menlo Park, USA

    Kevin Yeo

  3. Columbia University, New York City, USA

    Kevin Yeo

Authors
  1. Alexander Bienstock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevgeniy Dodis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kevin Yeo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Bienstock .

Editor information

Editors and Affiliations

  1. Georgetown University, Washington, WA, USA

    Kobbi Nissim

  2. The University of Texas at Austin, Austin, TX, USA

    Brent Waters

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bienstock, A., Dodis, Y., Yeo, K. (2021). Forward Secret Encrypted RAM: Lower Bounds and Applications. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13044. Springer, Cham. https://doi.org/10.1007/978-3-030-90456-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90456-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90455-5

  • Online ISBN: 978-3-030-90456-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation