Cloud storage has rapidly become a cornerstone of many IT infrastructures, constituting a seamless solution for the backup, synchronization, and sharing of large amounts of data. Putting user data in the direct control of cloud service providers, however, raises security and privacy concerns related to the integrity of outsourced data, the accidental or intentional leakage of sensitive information, the profiling of user activities and so on. Furthermore, even if the cloud provider is trusted, users having access to outsourced files might be malicious and misbehave. These concerns are particularly serious in sensitive applications like personal health records and credit score systems.
To tackle this problem, we present , a definitional framework for Group Oblivious RAM, in which we formalize several security and privacy properties such as secrecy, integrity, anonymity, and obliviousness. allows per entry access control, as selected by the data owner. is the first framework to define such a wide range of security and privacy properties for outsourced storage. Regarding obliviousness, we tackle two different attacker models: our first definition protects against an honest-but-curious server while our second definition protects against such a server colluding with malicious clients.
In the latter model, we prove a server-side computational lower bound of where n is the number of entries in the database, i.e., every operations requires to process a constant fraction of the database. Furthermore, we present two constructions: a pure cryptographic instantiation, which achieves an amortized communication and computation complexity and a construction based on a trusted proxy with logarithmic communication and server-side computational complexity. The second construction bypasses the previously established lower bound leveraging a trusted party. Both schemes achieve secrecy, integrity, and obliviousness with respect to a server colluding with malicious clients, but not anonymity due to the deployed access control mechanism.
In the former model, we present a cryptographic system that achieves secrecy, integrity, obliviousness, and anonymity. In the process of designing an efficient construction, we developed three new, generally applicable cryptographic schemes, namely, batched zero-knowledge proof of shuffle correctness, the hash-and-proof paradigm, which even improves upon the former, and an accountability technique based on chameleon signatures, which we consider of independent interest.
We implemented our constructions in Amazon Elastic Compute Cloud (EC2) and ran a performance evaluation demonstrating the scalability and efficiency of our construction.
C.Aguilar-Melchor, J.Barrier, L.Fousse and M.-O.Killijian, XPIR: Private information retrieval for everyone, in: PETS’16, De Gruyter, 2016, pp. 155–174.
2.
M.Ajtai, Oblivious RAMs without cryptographic assumptions, in: STOC’10, ACM, 2010, pp. 181–190. doi:10.1145/1806689.1806716.
3.
I.E.Akkus, R.Chen, M.Hardt, P.Francis and J.Gehrke, Non-tracking Web analytics, in: CCS’12, ACM, 2012, pp. 687–698.
4.
D.Apon, J.Katz, E.Shi and A.Thiruvengadam, Verifiable oblivious storage, in: PKC’14, LNCS, Springer, 2014, pp. 131–148.
5.
G.Ateniese and B.de Medeiros, On the key exposure problem in Chameleon hashes, in: SCN’04, LNCS, Springer, 2004, pp. 165–179.
M.Backes, S.Lorenz, M.Maffei and K.Pecina, Anonymous Webs of trust, in: PETS’10, LNCS, Springer, 2010, pp. 130–148.
8.
M.Backes, M.Maffei and K.Pecina, Automated synthesis of privacy-preserving distributed applications, in: NDSS’12, Internet Society, 2012.
9.
F.Baldimtsi and A.Lysyanskaya, Anonymous credentials light, in: CCS’13, ACM, 2013, pp. 1087–1098. doi:10.1145/2508859.2516687.
10.
S.Bayer and J.Groth, Efficient zero-knowledge argument for correctness of a shuffle, in: EUROCRYPT’12, LNCS, Springer, 2012, pp. 263–280.
11.
M.Bellare, A.Desai, D.Pointcheval and P.Rogaway, Relations among notions of security for public-key encryption schemes, in: CRYPTO’98, LNCS, Springer, 1998, pp. 26–45.
12.
S.Benabbas, R.Gennaro and Y.Vahlis, Verifiable delegation of computation over large datasets, in: CRYPTO’11, LNCS, Springer, 2011, pp. 111–131.
13.
V.Bindschaedler, M.Naveed, X.Pan, X.Wang and Y.Huang, Practicing oblivious access on cloud storage: The gap, the fallacy, and the new way forward, in: CCS’15, ACM, 2015, pp. 837–849. doi:10.1145/2810103.2813649.
14.
BlueKrypt, Cryptograhpic Key Length Recommendation, online at www.keylength.com.
15.
E.Boyle, K.-M.Chung and R.Pass, Oblivious parallel RAM and applications, in: TCC’16, LNCS, Springer, 2016.
16.
J.Camenisch, M.Kohlweiss and C.Soriente, An accumulator based on bilinear maps and efficient revocation for anonymous credentials, in: PKC’09, LNCS, Springer, 2009, pp. 481–500.
17.
B.Carbunar and R.Sion, Regulatory compliant oblivious RAM, in: ACNS’10, LNCS, Springer, 2010, pp. 456–474.
18.
I.Carrión Señor, L.J.Fernández-Alemán and A.Toval, Are personal health records safe? A review of free Web-accessible personal health record privacy policies, J. Med. Int. Res.14(4) (2012), e114.
19.
J.L.Carter and M.N.Wegman, Universal classes of hash functions (extended abstract), in: STOC’77, ACM, 1977, pp. 106–112. doi:10.1145/800105.803400.
20.
D.Chaum, C.Crépeau and I.Damgard, Multiparty unconditionally secure protocols, in: STOC’88, ACM, 1988, pp. 11–19. doi:10.1145/62212.62214.
21.
D.L.Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Comm. ACM24(2) (1981), 84–90. doi:10.1145/358549.358563.
22.
B.Chen, H.Lin and S.Tessaro, Oblivious parallel RAM: Improved efficiency and generic constructions, in: TCC’16, LNCS., Springer, 2016.
23.
R.Chen, I.Ekin Akkus and P.Francis, SplitX: High-performance private analytics, in: SIGCOMM’13, ACM, 2013, pp. 315–326. doi:10.1145/2486001.2486013.
24.
B.Chor, E.Kushilevitz, O.Goldreich and M.Sudan, Private information retrieval, J. ACM45(6) (1998), 965–981. doi:10.1145/293347.293350.
25.
R.Cramer, I.Damgård and B.Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in: CRYPTO’94, LNCS, Springer, 1994, pp. 174–187.
26.
R.Cramer, R.Gennaro and B.Schoenmakers, A secure and optimally efficient multi-authority election scheme, in: EUROCRYPT’97, LNCS, Springer, 1997, pp. 103–118.
27.
R.Cramer and V.Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in: CRYPTO’98, LNCS, Springer, 1998, pp. 13–25.
28.
C.Culnane and S.Schneider, A peered bulletin board for robust use in verifiable voting systems, in: CSF’14, IEEE Press, 2014, pp. 169–183.
29.
J.Daemen and V.Rijmen, The Design of Rijndael, AES – the Advanced Encryption Standard, Springer, 2002.
30.
D.Daglish and N.Archer, Electronic Personal Health Record Systems: A Brief Review of Privacy, Security, and Architectural Issues, World Congress on Privacy, Security, Trust and the Management of e-Business (2009), 110–120. doi:10.1109/CONGRESS.2009.14.
31.
I.Damgård, S.Meldgaard and J.B.Nielsen, Perfectly secure oblivious RAM without random oracles, in: TCC’11, LNCS, Springer, 2011, pp. 144–163.
32.
J.Dautrich, E.Stefanov and E.Shi, Burst ORAM: Minimizing ORAM response times for bursty access patterns, in: USENIX’14, USENIX Association, 2014, pp. 749–764.
33.
S.De Capitani di Vimercati, S.Foresti, S.Jajodia, S.Paraboschi and P.Samarati, Private data indexes for selective access to outsourced data, in: WPES’11, ACM, 2011, pp. 69–80.
34.
S.De Capitani di Vimercati, S.Foresti, S.Paraboschi, G.Pelosi and P.Samarati, Enforcing authorizations while protecting access confidentiality, Journal of Computer SecurityPreprint (2018), 1–33.
35.
A.De Caro, jPBC – Java Library for Pairing Based Cryptography, online at http://gas.dia.unisa.it/projects/jpbc/.
36.
A.Demers, D.Greene, C.Hauser, W.Irish, J.Larson, S.Shenker, H.Sturgis, D.Swinehart and D.Terry, Epidemic algorithms for replicated database maintenance, in: PODC’87, ACM, 1987, pp. 1–12.
37.
R.Dingledine, N.Mathewson and P.Syverson, Tor: The second-generation onion router, in: USENIX’04, USENIX Association, 2004, pp. 303–320.
38.
C.Dong and L.Chen, A fast single server private information retrieval protocol with low communication cost, in: ESORICS’14, LNCS, Vol. 8712, Springer, 2014, pp. 380–399.
39.
T.El Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in: CRYPTO’84, LNCS, Springer, 1985, pp. 10–18.
40.
C.Erway, A.Küpçü, C.Papamanthou and R.Tamassia, Dynamic provable data possession, in: CCS’09, ACM, 2009, pp. 213–222. doi:10.1145/1653662.1653688.
41.
A.Fiat and A.Shamir, How to prove yourself: Practical solutions to identification and signature problems, in: CRYPTO’86, Springer, 1987, pp. 186–194.
42.
M.Franz, C.Carbunar, R.Sion, S.Katzenbeisser, M.Sotakova, P.Williams and A.Peter, Oblivious outsourced storage with delegation, in: FC’11, Springer, 2011, pp. 127–140.
43.
D.M.Freeman, Converting pairing-based cryptosystems from composite-order groups to prime-order groups, in: EUROCRYPT’10, LNCS, Springer, 2010, pp. 44–61.
44.
D.L.Gazzoni Filho and P.S.L.M.Barreto, Demonstrating Data Possession and Uncheatable Data Transfer, Cryptology ePrint Archive, Report 2006/150, 2006. http://eprint.iacr.org/.
45.
C.Gentry and B.Waters, Adaptive security in broadcast encryption systems (with short ciphertexts), in: EUROCRYPT’09, LNCS, Springer, 2009, pp. 171–188.
46.
O.Goldreich, S.Micali and A.Wigderson, How to play ANY mental game, in: STOC’87, ACM, 1987, pp. 218–229. doi:10.1145/28395.28420.
47.
O.Goldreich and R.Ostrovsky, Software protection and simulation on oblivious RAMs, J. ACM43(3) (1996), 431–473. doi:10.1145/233551.233553.
48.
S.Goldwasser and S.Micali, Probabilistic encryption & how to play mental poker keeping secret all partial information, in: STOC’82, ACM, 1982, pp. 365–377. doi:10.1145/800070.802212.
49.
M.T.Goodrich and M.Mitzenmacher, Privacy-preserving access of outsourced data via oblivious RAM simulation, in: ICALP’11, LNCS, Springer, 2011, pp. 576–587.
50.
M.T.Goodrich, M.Mitzenmacher, O.Ohrimenko and R.Tamassia, Privacy-preserving group data access via stateless oblivious RAM simulation, in: SODA’12, SIAM, 2012, pp. 157–167.
51.
J.Groth and A.Sahai, Efficient noninteractive proof systems for bilinear groups, SIAM J. Comp.41(5) (2012), 1193–1232. doi:10.1137/080725386.
52.
J.Heather and D.Lundin, The append-only web bulletin board, in: FAST’09, Springer, 2009, pp. 242–256.
53.
Y.Huang and I.Goldberg, Outsourced private information retrieval with pricing and access control, in: WPES’13, ACM, 2013.
54.
A.Iliev and S.W.Smith, Protecting client privacy with trusted computing at the server, IEEE Security and Privacy3(2) (2005), 20–28. doi:10.1109/MSP.2005.49.
55.
M.Islam, M.Kuzu and M.Kantarcioglu, Access pattern disclosure on searchable encryption: Ramification, attack and mitigation, in: NDSS’12, Internet Society, 2012.
56.
M.Jakobsson and A.Juels, Millimix: Mixing in Small Batches, Technical Report 99-33, DIMACS, 1999.
57.
M.Jakobsson, A.Juels and R.L.Rivest, Making mix nets robust for electronic voting by randomized partial checking, in: USENIX’02, USENIX Association, 2002, pp. 339–353.
58.
J.Katz, A.Sahai and B.Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products, in: EUROCRYPT’08, Springer, 2008, pp. 146–162.
59.
B.H,Kim and D.Lie, Caelus: Verifying the consistency of cloud services with battery-powered devices, in: S&P’15, IEEE Press, 2015, pp. 880–896.
60.
P.Korde, V.Panwar and S.Kalse, Securing Personal Health Records in Cloud using Attribute Based Encryption, Int. J. Eng. Adv. Tech. (2013).
61.
R.Küsters, T.Truderung and A.Vogt, Accountability: Definition and relationship to verifiability, in: CCS’10, ACM, 2010, pp. 526–535. doi:10.1145/1866307.1866366.
62.
M.Li, S.Yu, K.Ren and W.Lou, Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings, in: SECURECOMM’10, 2010.
63.
Y.Lindell and B.Pinkas, An efficient protocol for secure two-party computation in the presence of malicious adversaries, in: EUROCRYPT’07, LNCS, Springer, 2007, pp. 52–78.
64.
Y.Lindell and B.Pinkas, A proof of security of Yao’s protocol for two-party computation, J. Cryptology22(2) (2009), 161–188. doi:10.1007/s00145-008-9036-8.
65.
H.Löhr, A.-R.Sadeghi and M.Winandy, Securing the e-health cloud, in: IHI’10, ACM, 2010, pp. 220–229. doi:10.1145/1882992.1883024.
66.
J.R.Lorch, B.Parno, J.Mickens, M.Raykova and J.Schiffman, Shroud: Ensuring private access to large-scale data in the data center, in: FAST’13, USENIX Association, 2013, pp. 199–214.
67.
B.Lynn, PBC – C Library for Pairing Based Cryptography, online at http://crypto.stanford.edu/pbc/.
68.
M.Maas, E.Love, E.Stefanov, M.Tiwari, E.Shi, K.Asanovic, J.Kubiatowicz and D.Song, PHANTOM: Practical oblivious computation in a secure processor, in: CCS’13, ACM, 2013, pp. 311–324. doi:10.1145/2508859.2516692.
69.
M.Maffei, G.Malavolta, M.Reinert and D.S.Schröder, GORAM: Privacy, Access Control, and Verifiability in Group Outsourced Storage, 2014, Full version online at http://www.sps.cs.uni-saarland.de/publications/goram.pdf.
70.
M.Maffei, K.Pecina and M.Reinert, Security and privacy by declarative design, in: CSF’13, IEEE Press, 2013, pp. 81–96.
71.
T.Mayberry, E.-O.Blass and A.H.Chan, Efficient private file retrieval by combining ORAM and PIR, in: NDSS’14, Internet Society, 2013.
72.
A.Miyaji, M.Nakabayashi and S.Takano, Characterization of elliptic curve traces under FR-reduction, in: ICISC’00, LNCS, Vol. 2015, Springer, 2001, pp. 90–108.
73.
R.Ostrovsky and W.E.SkeithIII, Algebraic Lower Bounds for Computing on Encrypted Data, ECCC14(022) (2007).
74.
P.Paillier, Public-key cryptosystems based on composite degree residuosity classes, in: EUROCRYPT’99, LNCS, Springer, 1999, pp. 223–238.
75.
C.Papamanthou, E.Shi, R.Tamassia and K.Yi, Streaming authenticated data structures, in: EUROCRYPT’13, 2013.
76.
B.Pinkas and T.Reinman, Oblivious RAM revisited, in: CRYPTO’10, LNCS, Springer, 2010, pp. 502–519.
77.
R.L.Rivest, A.Shamir and L.Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM21(2) (1978), 120–126. doi:10.1145/359340.359342.
78.
D.S.Roche, A.Aviv and S.G.Choi, A practical oblivious map data structure with secure deletion and history independence, in: S&P’16, IEEE Press, 2016.
79.
C.Sahin, V.Zakhary, A.El Abbadi, H.R.Lin and S.Tessaro, TaoStore: Overcoming asynchronicity in oblivious data storage, in: S&P’16, IEEE Press, 2016.
80.
C.P.Schnorr, Efficient identification and signatures for smart cards, in: CRYPTO’89, LNCS, Springer, 1989, pp. 239–252.
81.
D.Schröder and H.Schröder, Verifiable data streaming, in: CCS’12, ACM, 2012, pp. 953–964. doi:10.1145/2382196.2382297.
82.
D.Schröder and M.Simkin, VeriStream – a framework for verifiable data streaming, in: FC’15, Springer, 2015.
83.
T.Schwarz and E.L.Miller, Store, Forget, and Check: Using Algebraic Signatures to Check Remotely Administered Storage, 2006.
84.
H.Shacham and B.Waters, Compact proofs of retrievability, in: ASIACRYPT’08, LNCS, Springer, 2008, pp. 90–107.
85.
E.Shi, T.-H.H.Chan, E.Stefanov and M.Li, Oblivious RAM with O((log n)3) worst-case cost, in: ASIACRYPT’11, LNCS, Springer, 2011, pp. 197–214.
86.
E.Stefanov and E.Shi, Multi-cloud oblivious storage, in: CCS’13, ACM, 2013, pp. 247–258. doi:10.1145/2508859.2516673.
87.
E.Stefanov and E.Shi, ObliviStore: High performance oblivious cloud storage, in: S&P’13, IEEE Press, 2013, pp. 253–267.
88.
E.Stefanov, E.Shi and D.Song, Towards practical oblivious RAM, in: NDSS’12, Internet Society, 2012.
89.
E.Stefanov, M.van Dijk, A.Oprea and A.Juels, Iris: A Scalable Cloud File System with Efficient Integrity Checks, Cryptology ePrint Archive, Report 2011/585, 2011. http://eprint.iacr.org/.
M.van Dijk, A.Juels, A.Oprea, R.L.Rivest, E.Stefanov and N.Triandopoulos, Hourglass schemes: How to prove that cloud files are encrypted, in: CCS’12, ACM, 2012, pp. 265–280.
92.
P.Williams, R.Sion and B.Carbunar, Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage, in: CCS’08, ACM, 2008, pp. 139–148. doi:10.1145/1455770.1455790.
93.
P.Williams, R.Sion and A.Tomescu, PrivateFS: A parallel oblivious file system, in: CCS’12, ACM, 2012, pp. 977–988. doi:10.1145/2382196.2382299.
94.
K.T.Win, W.Susilo and Y.Mu, Personal health record systems and their security protection, J. Med. Sys.30(4) (2006), 309–315. doi:10.1007/s10916-006-9019-y.
95.
A.C.-C.Yao, How to generate and exchange secrets, in: FOCS’86, IEEE Press, 1986, pp. 162–167.
