ObliviSync: Practical Oblivious File Backup and Synchronization

Oblivious RAM (ORAM) protocols are powerful techniques that hide a client's data as well as access patterns from untrusted service providers. We present an oblivious cloud storage system, ObliviSync, that specifically targets one of the most widely-used personal cloud storage paradigms: synchronization and backup services, popular examples of which are Dropbox, iCloud Drive, and Google Drive. This setting provides a unique opportunity because the above privacy properties can be achieved with a simpler form of ORAM called write-only ORAM, which allows for dramatically increased efficiency compared to related work. Our solution is asymptotically optimal and practically efficient, with a small constant overhead of approximately 4x compared with non-private file storage, depending only on the total data size and parameters chosen according to the usage rate, and not on the number or size of individual files. Our construction also offers protection against timing-channel attacks, which has not been previously considered in ORAM protocols. We built and evaluated a full implementation of ObliviSync that supports multiple simultaneous read-only clients and a single concurrent read/write client whose edits automatically and seamlessly propagate to the readers. We show that our system functions under high work loads, with realistic file size distributions, and with small additional latency (as compared to a baseline encrypted file system) when paired with Dropbox as the synchronization service.Comment: 15 pages. Accepted to NDSS 201

Multi-Client Oblivious RAM secure against Malicious Servers

This paper tackles the open problem whether an Oblivious RAM can be shared among multiple clients in the presence of a fully malicious server. Current ORAM constructions rely on clients knowing the ORAM state to not reveal information about their access patter. With multiple clients, a straightforward approach requires clients exchanging updated state to maintain security. However, clients on the internet usually cannot directly communicate with each other due to NAT and firewall settings. Storing state on the server is the only option, but a malicious server can arbitrarily tamper with that information. We first extend the classical square-root ORAM by Goldreich and the hierarchical one by Goldreich and Ostrovsky to add muti-client security. We accomplish this by separating the critical portions of the access, which depend on the state of the ORAM, from the non-critical parts (cache access) that can be executed securely in any state. Our second contribution is a secure multi-client variant of Path ORAM. To enable secure meta-data update during evictions in Path ORAM, we employ our first result, small multi-client secure classical ORAMs, as a building block. Depending on the block size, the communication complexity of our multi-client secure construction reaches a low $O(\log N)$ communication complexity per client, similar to state-of-the-art single-client ORAMs

Practical Forward-Secure Range and Sort Queries with Update-Oblivious Linked Lists

We revisit the problem of privacy-preserving range search and sort queries on encrypted data in the face of an untrusted data store. Our new protocol RASP has several advantages over existing work. First, RASP strengthens privacy by ensuring {forward security}: after a query for range $[a,b]$, any new record added to the data store is indistinguishable from random, even if the new record falls within range $[a,b]$. We are able to accomplish this using only traditional hash and block cipher operations, abstaining from expensive asymmetric cryptography and bilinear pairings. Consequently, RASP is highly practical, even for large database sizes. Additionally, we require only cloud {storage} and not a computational cloud like related works, which can reduce monetary costs significantly. At the heart of RASP, we develop a new {update-oblivious} bucket-based data structure. We allow for data to be added to buckets without leaking into which bucket it has been added. As long as a bucket is not explicitly queried, the data store does not learn anything about bucket contents. Furthermore, no information is leaked about data additions following a query. Besides formally proving RASP\u27s privacy, we also present a practical evaluation of RASP on Amazon Dynamo, demonstrating its efficiency and real world applicability

Iterative Oblivious Pseudo-Random Functions and Applications

We consider the problem of a client querying an encrypted binary tree structure, outsourced to an untrusted server. While the server must not learn the contents of the binary tree, we also want to prevent the client from maliciously crafting a query that traverses the tree out-of-order. That is, the client should not be able to retrieve nodes outside one contiguous path from the root to a leaf. Finally, the server should not learn which path the client accesses, but is guaranteed that the access corresponds to one valid path in the tree. This is an extension of protocols such as structured encryption, where it is only guaranteed that the tree\u27s encrypted data remains hidden from the server. To this end, we initiate the study of Iterative Oblivious Pseudorandom Functions (iOPRFs), new primitives providing two-sided, fully malicious security for these types of applications. We present a first, efficient iOPRF construction secure against both malicious clients and servers in the standard model, based on the DDH assumption. We demonstrate that iOPRFs are useful to implement different interesting applications, including an RFID authentication protocol and a protocol for private evaluation of outsourced decision trees. Finally, we implement and evaluate our full iOPRF construction and show that it is efficient in practice

CHf-ORAM: A Constant Communication ORAM without Homomorphic Encryption

Recent techniques reduce ORAM communication complexity down to constant in the number of blocks N. However, they induce expensive homomorphic encryption on both the server and the client. In this paper, we present an alternative approach CHf-ORAM. This ORAM features constant communication complexity without homomorphic encryption, in exchange for expanding the traditional ORAM setting from single-server to multiple non-colluding servers. We show that adding as few as 4 servers allows for substantially reduced client and server computation compared to existing single-server alternatives. Our approach uses techniques from information-theoretically secure Private Information Retrieval to replace homomorphic encryption with simple XOR operations. Besides O(1) communication complexity, our construction also features O(1) client memory and a block size of only Omega(log^3 N). This leads to an ORAM which is extremely lightweight and suitable for deployment even on memory and compute constrained devices. Finally, CHf-ORAM features a circuit size which is constant in the blocksize making it especially attractive for secure RAM computations

Constant Communication ORAM with Small Blocksize

There have been several attempts recently at using homomorphic encryption to increase the efficiency of Oblivious RAM protocols. One of the most successful has been Onion ORAM, which achieves O(1) communication overhead with polylogarithmic server computation. However, it has two drawbacks. It requires a large block size of B = Omega(log^6 N) with large constants. Moreover, while it only needs polylogarithmic computation complexity, that computation consists mostly of expensive homomorphic multiplications. In this work, we address these problems and reduce the required block size to Omega(log^4 N). We remove most of the homomorphic multiplications while maintaining O(1) communication complexity. Our idea is to replace their homomorphic eviction routine with a new, much cheaper permute-and-merge eviction which eliminates homomorphic multiplications and maintains the same level of security. In turn, this removes the need for layered encryption that Onion ORAM relies on and reduces both the minimum block size and server computation

Scantegrity Responds to Rice Study on Usability of the Scantegrity II Voting System

This note is a response to, and critique of, recent work by Acemyan, Kortum, Bryne, and Wallach regarding the usability of end-to-end verifiable voting systems, and in particular, to their analysis of the usability of the Scantegrity II voting system. Their work is given in a JETS paper [Ace14] and was presented at EVT/WOTE 2014; it was also described in an associated press release [Rut14]. We find that their study lacked an appropriate control voting system with which to compare effectiveness, and thus their conclusions regarding Scantegrity II are unsupported by the evidence they present. Furthermore, their conclusions are contradicted by the successful deployment experiences of Scantegrity II at Takoma Park

Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

On November 3, 2009, voters in Takoma Park, Maryland, cast ballots for the mayor and city council members using the Scantegrity II voting system—the first time any end-to-end (E2E) voting system with ballot privacy has been used in a binding governmental election. This case study describes the various efforts that went into the election—including the improved design and implementation of the voting system, streamlined procedures, agreements with the city, and assessments of the experiences of voters and poll workers. The election, with 1728 voters from six wards, involved paper ballots with invisible-ink confirmation codes, instant-runoff voting with write-ins, early and absentee (mail-in) voting, dual-language ballots, provisional ballots, privacy sleeves, any-which-way scanning with parallel conventional desktop scanners, end-to-end verifiability based on optional web-based voter verification of votes cast, a full hand recount, thresholded authorities, three independent outside auditors, fully-disclosed software, and exit surveys for voters and pollworkers. Despite some glitches, the use of Scantegrity II was a success, demonstrating that E2E cryptographic voting systems can be effectively used and accepted by the general public.United States. Dept. of Defense (IASP grant H98230-08-1-0334)United States. Dept. of Defense (IASP grant H98230-09-1-0404)National Science Foundation (U.S.) (Grant no. CNS 0831149

Payload Hardware and Experimental Protocol for Testing the Effect of Space Microgravity on the Resistance to Gentamicin of Stationary-Phase Uropathogenic Escherichia Coli and Its Sigma (sup S)-Deficient Mutant

Human immune response is compromised and bacteria can become more antibiotic resistant in space microgravity (MG). We report that under low-shear modeled microgravity (LSMMG) stationary-phase uropathogenic Escherichia coli (UPEC) become more resistant to gentamicin (Gm). UPEC causes urinary tract infections (UTIs), reported to afflict astronauts; Gm is a standard treatment, so these findings could impact astronaut health. Because LSMMG has been shown to differ from MG, we report here preparations to examine UPEC's Gm sensitivity during spaceflight using the E. coli Anti-Microbial Satellite (EcAMSat) on a free flying nanosatellite in low Earth orbit. Within EcAMSats payload, a 48-microwell fluidic card contains and supports study of bacterial cultures at constant temperature; optical absorbance changes in cell suspensions are made at three wavelengths for each microwell and a fluid-delivery system provides growth medium and predefined Gm concentrations. Performance characterization is reported for spaceflight prototypes of this payload system. Using conventional microtiter plates, we show that Alamar Blue (AB) absorbance changes due to cellular metabolism accurately reflect E. coli viability changes: measuring AB absorbance onboard EcAMSat will enable telemetry of spaceflight data to Earth. Laboratory results using payload prototypes are consistent with wellplate and flask findings of differential sensitivity of UPEC and its delta rpoS strain to Gm. Space MG studies using EcAMSat should clarify inconsistencies from previous space experiments on bacterial antibiotic sensitivity. Further, if sigma (sup s) plays the same role in space MG as in LSMMG and Earth gravity, EcAMSat results would facilitate utilizing our previously developed terrestrial UTI countermeasures in astronauts