Oblivious Secure Deletion with Bounded History Independence

We present a new secure cloud storage mechanism that combines three previously disjoint security properties: obliviousness, secure deletion, and history independence. The system maintains strong privacy guarantees against a cloud-observation attack, wherein an attacker learns all previous states of, and accesses to, the persistent cloud storage, as well as a catastrophic attack, where the decryption keys from erasable memory are also leaked. In the first scenario, the access pattern reveals nothing about the contents (obliviousness), and in both scenarios, no previously deleted data is recoverable (secure deletion), and the structure of the data leaks a bounded amount of information about previous states (history independence). To achieve these goals we developed a new oblivious-RAM with variable-size storage blocks (vORAM) and a new history independent, randomized data structure based on B-trees (HIRB tree) stored within the vORAM. We prove that the vORAM+HIRB achieves obliviousness and secure deletion. We also show that any such system must inevitably leak a bounded amount of history information, and prove that our vORAM+HIRB construction matches this lower bound, up to logarithmic factors. Our system also provides better utilization of the ORAM buckets and reduces the amount of local storage requirements by O(log n) as compared to prior work for storing map data structures. Finally, we have implemented and measured the performance of our system using Amazon Web Services for a sample password-management application that maintains the privacy of login records, addition and removal of accounts, and password changes. The empirical performance is comparable to current state of the art in ORAM technologies and greatly outperforms naive approaches that provide the same security properties.