a590003

A
Simple Dynamic PoR with Square-Root Complexity
We sketch a very simple construction of dynamic PoR that achieves sub-linear complexity in its read, write
and audit operations. Although the scheme is asymptotically significantly worst then our PORAM solution
as described in the main body, it is significantly simpler and may be of interest for some practical parameter
settings.
The construction starts with the first dynamic PoR proposal from the introduction. To store a memory
M ∈ Σ l on the server, the client divides it into L = √ l consecutive message blocks (m 1 , . . . , m L ), each
containing L = √ l symbols. The client then encodes each of the message blocks m i using an (n = 2L, k =
L, d = L + 1)-erasure code (e.g., Reed-Solomon tolerating L erasures), to form a codeword block c i , and
concatenates the codeword blocks to form a string C = (c 1 , . . . , c L ) ∈ Σ 2l which it then stores on the server.
We can assume the code is systematic so that the message block m i resides in the first L symbols of the
corresponding codeword block c i . In addition, the client initializes a memory checking scheme [5, 23, 11],
which it uses to authenticate each of the 2l codeword symbols within C.
To read a location j ∈ [l] of memory, the client computes the index i ∈ [L] of the message block m i
containing that location, and downloads the appropriate symbol of the codeword block c i which contains
the value M[j] (here we use that the code is systematic), which it checks for authenticity via the memory
checking scheme. To write to a location j ∈ [l] the client downloads the entire corresponding codeword block
c i (checking for authenticity) decodes m i , changes the appropriate location to get an updated block m ′ i and
finally re-encodes it to get c ′ i which it then writes to the server, updating the appropriate authentication
information within the memory checking scheme. The audit protocol selects t = λ (security parameter)
random positions within every codeword block c i and checks them for authenticity via the memory checking
scheme.
The read and write protocols of this scheme each execute the memory checking read protocol to read
and write 1 and √ l symbols respectively. The audit protocol reads and checks λ √ l symbols. Assuming an
efficient (poly-logarithmic) memory checking protocol, this means actual complexity of these protocols incurs
another O(log l) factor and another constant factor increase in server storage. Therefore the complexity of
the reads, writes, and audit is O(1), O( √ l), O( √ l) respectively, ignoring factors that depend on the security
parameter or are polylogarithmic in l.
Note that the above scheme actually gives us a natural trade-off between the complexity of the writes
and the audit protocol. In particular, for any δ > 0, we can set the message block size to L 1 = l δ symbols,
so that the client memory M now consists of L 2 = l 1−δ such blocks. In this case, the complexity of reads,
writes, and audits becomes O(1), O(l δ ), O(l 1−δ ) respectively.
B
Standard Pattern Hiding for ORAM
We recall an equivalent definition to the one introduced by Goldreich and Ostrovsky [13]. Informally,
standard pattern hiding says that an (arbitrarily malicious and efficient) adversary cannot detect which
sequence of instructions a client is executing via the ORAM protocols.
Formally, for a bit b and an adversary A, we define the game ORAMGame b A
(λ) as follows:
• The attacker A(1 λ ) outputs two equal-length ORAM protocol sequences Q 0 = (op 0 , . . . , op q ), Q 1 =
(op ′ 0 , . . . , op′ q). We require that for each index j, the operations op j and op ′ j only differ in the location
they access and the values the are writing, but otherwise correspond to the same operation (read or
write).
• The challenger initializes an honest client C and server S, and sequentially executes the operations in
Q b , between C and S.
• Finally, A is given the complete transcript of all the protocol executions, and he outputs a bit ˜b, which
is the output of the game.
25
9. Dynamic Proofs of Retrievability via Oblivious RAM