Composable and Robust Outsourced Storage

  • Christian Badertscher
  • Ueli Maurer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


The security of data outsourcing mechanisms has become a crucial aspect of today’s IT infrastructures and they are the cryptographic foundations of real-world applications. The very fundamental goals are ensuring storage integrity and auditability, confidentiality, and access pattern hiding, as well as combinations of all of them. Despite sharing a common setting, security analyses of these tasks are often performed in a stand-alone fashion expressed in different models, which makes it hard to assess the overall security of a protocol or application involving several security schemes at once. In this work, we fill this gap and propose a composable framework suitable to capture various aspects of outsourced storage security and its applications. We instantiate the basic client-server setting in this model, where the goal of the honest client is to retain security in the presence of a malicious server. Three specific contributions of this paper are:
  1. 1.

    We present a novel definition for secure and robust outsourcing schemes and underline why this is needed in practice. Our definition is stronger than previous definitions for oblivious RAM or software protection in that it assures strong security guarantees against active attacks. Schemes meeting the definition not only assure that an attacker cannot learn the access pattern, but guarantee resilience to errors and the prevention of targeted attacks to specific locations. Unfortunately, several existing schemes cannot achieve this high level of security. For completeness, we provide a protocol based on Path ORAM that showcases that stronger security is actually achievable.

  2. 2.

    We present a novel definition for auditable storage, capturing the guarantee that a successful audit implies that the current server state allows the client to retrieve his data. We develop an audit mechanism, based on secure and robust outsourcing schemes, that is similar to the construction by Cash et al. (Eurocrpyt 2013), but is universally composable and fault-tolerant.

  3. 3.

    We revisit the security claim of a widely-used challenge-response audit mechanism, in which the server has to compute a hash H(F||c) on the file F concatenated with a uniformly random challenge c chosen by the client. Being concerned with composable security, we prove that this audit mechanism is not secure, even in the random oracle model, without additional assumptions. The composable security of this basic audit scheme was implicitly assumed in Ristenpart et al. (Eurocrypt 2011). To complete the picture, we state the additional assumptions for this audit mechanism to be provably secure and discuss the implication on practical security.



  1. 1.
    Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  2. 2.
    Ateniese, G., Burns, R.C., Curtmola, R., Herring, J., Kissner, L., Peterson, Z.N.J., Song, D.X.: Provable data possession at untrusted stores. In: ACM Conference on Computer and Communications Security, pp. 598–609 (2007)Google Scholar
  3. 3.
    Ateniese, G., Dagdelen, Ö., Damgård, I., Venturi, D.: Entangled cloud storage. Future Gener. Comput. Syst. 62, 104–118 (2016)CrossRefGoogle Scholar
  4. 4.
    Badertscher, C., Maurer, U.: Composable and robust outsourced storage. Cryptology ePrint Archive, Report 2017/133 (2017). Full version of this paper
  5. 5.
    Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. Algorithmica 12(2/3), 225–244 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Camenisch, J., Enderlein, R.R., Maurer, U.: Memory erasability amplification. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 104–125. Springer, Cham (2016). Google Scholar
  7. 7.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42nd Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)Google Scholar
  8. 8.
    Cash, D., Küpçü, A., Wichs, D.: Dynamic proofs of retrievability via oblivious RAM. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 279–295. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  9. 9.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM (JACM) 43(3), 431–473 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part II. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  11. 11.
    Halevi, S., Harnik, D., Pinkas, B., Shulman-Peleg, A.: Proofs of ownership in remote storage systems. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 491–500. ACM (2011)Google Scholar
  12. 12.
    Hofheinz, D., Matt, C., Maurer, U.: Idealizing identity-based encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 495–520. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  13. 13.
    Juels, A., Kaliski, B.S.: PORs: proofs of retrievability for large files. In: ACM Conference on Computer and Communications Security, pp. 584–597 (2007)Google Scholar
  14. 14.
    Keelveedhi, S., Bellare, M., Ristenpart, T.: DupLESS: server-aided encryption for deduplicated storage. Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 2013), pp. 179–194 (2013)Google Scholar
  15. 15.
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  16. 16.
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  17. 17.
    Maurer, U., Renner, R.: Abstract cryptography. In: Innovations in Theoretical Computer Science, pp. 1–21 (2011)Google Scholar
  18. 18.
    Maurer, U., Renner, R.: From indifferentiability to constructive cryptography (and back). In: Hirt, M., Smith, A. (eds.) TCC 2016-B. LNCS, vol. 9985, pp. 3–24. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  19. 19.
    Naor, M., Rothblum, G.N.: The complexity of online memory checking. J. ACM 56(1), 2:1–2:46 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  21. 21.
    Stefanov, E., Shi, E., Song, D.X.: Towards practical oblivious RAM. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012 (2012)Google Scholar
  22. 22.
    Stefanov, E., Van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 299–310. ACM (2013)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceETH ZürichZürichSwitzerland

Personalised recommendations