Abstract
We introduce WORM-ORAM, a first mechanism that combines Oblivious RAM (ORAM) access privacy and data confidentiality with Write Once Read Many (WORM) regulatory data retention guarantees. Clients can outsource their database to a server with full confidentiality and data access privacy, and, for data retention, the server ensures client access WORM semantics. In general simple confidentiality and WORM assurances are easily achievable e.g., via an encrypted outsourced data repository with server-enforced read-only access to existing records (albeit encrypted). However, this becomes hard when also access privacy is to be ensured – when client access patterns are necessarily hidden and the server cannot enforce access control directly. WORM-ORAM overcomes this by deploying a set of zero-knowledge proofs to convince the server that all stages of the protocol are WORM-compliant.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
National Association of Insurance Commissioners. Graham-Leach-Bliley Act (1999), http://www.naic.org/GLBA
U.S. Dept. of Health & Human Services. The Health Insurance Portability and Accountability Act (HIPAA) (1996), www.cms.gov/hipaa
U.S. Public Law 107-347. The E-Government Act (2002)
U.S. Public Law No. 107-204, 116 Stat. 745. Public Company Accounting Reform and Investor Protection Act (2002)
The U.S. Securities and Exchange Commission. Rule 17a-3&4, 17 CFR Part 240: Electronic Storage of Broker-Dealer Records (2003), http://edocket.access.gpo.gov/
The U.S. Department of Defense. Directive 5015.2: DOD Records Management Program (2002), http://www.dtic.mil/whs/directives/corres/pdf/50152std_061902/p50152s.p%df
The U.S. Department of Health and Human Services Food and Drug Administration. 21 CFR Part 11: Electronic Records and Signature Regulations (1997), http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.p%df
The U.S. Department of Education. 20 U.S.C. 1232g; 34 CFR Part 99:Family Educational Rights and Privacy Act (FERPA) (1974), http://www.ed.gov/policy/gen/guid/fpco/ferpa
The Enterprise Storage Group. Compliance: The effect on information management and the storage industry (2003), http://www.enterprisestoragegroup.com/
Enron email dataset, http://www.cs.cmu.edu/enron/
IBM Corp. IBM TotalStorage Enterprise (2007), http://www-03.ibm.com/servers/storage/
HP. WORM Data Protection Solutions (2007), http://h18006.www1.hp.com/products/storageworks/wormdps/index.html
EMC. Centera Compliance Edition Plus (2007), http://www.emc.com/centera/ , http://www.mosaictech.com/pdf_docs/emc/centera.pdf
Hitachi Data Systems. The Message Archive for Compliance Solution, Data Retention Software Utility (2007), http://www.hds.com/solutions/data_life_cycle_archiving/achievingregcomp%liance.html
Zantaz Inc. The ZANTAZ Digital Safe Product Family (2007), http://www.zantaz.com/
StorageTek Inc. VolSafe secure tape-based write once read many (WORM) storage solution (2007), http://www.storagetek.com/
Sun Microsystems. Sun StorageTek Compliance Archiving system and the Vignette Enterprise Content Management Suite (White Paper) (2007), http://www.sun.com/storagetek/white-papers/Healthcare_Sun_NAS_Vignette_EHR_080806_Final.p%df
Sun Microsystems. Sun StorageTek Compliance Archiving Software (2007), http://www.sun.com/storagetek/management_software/data_protection/comp%liance_archiving/
Network Appliance Inc. SnapLock Compliance and SnapLock Enterprise Software (2007), http://www.netapp.com/products/software/snaplock.html
Quantum Inc. DLTSage Write Once Read Many Solution (2007), http://www.quantum.com/Products/TapeDrives/DLT/SDLT600/DLTIce/Index.aspx , http://www.quantum.com/pdf/DS00232.p%df
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious ram. Journal of the ACM 45, 431–473 (1996)
Williams, P., Sion, R., Carbunar, B.: Building Castles out of Mud: Practical Access Pattern Privacy and Correctness on Untrusted Storage. In: ACM Conference on Computer and Communication Security, CCS (2008)
Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007)
Coull, S., Green, M., Hohenberger, S.: Controlling access to an oblivious database using stateful anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography – PKC 2009. LNCS, vol. 5443, Springer, Heidelberg (2009)
Goldreich, O.: Foundations of Cryptography I. Cambridge University Press, Cambridge (2001)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1) (1989)
Williams, P., Sion, R., Carbunar, B.: Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In: CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security (2008)
Boneh, D.: The decision diffie-hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Carbunar, B., Sion, R. (2010). Regulatory Compliant Oblivious RAM. In: Zhou, J., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2010. Lecture Notes in Computer Science, vol 6123. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13708-2_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-13708-2_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13707-5
Online ISBN: 978-3-642-13708-2
eBook Packages: Computer ScienceComputer Science (R0)