Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM

  • Srinivas Devadas
  • Marten van Dijk
  • Christopher W. FletcherEmail author
  • Ling RenEmail author
  • Elaine Shi
  • Daniel Wichs
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9563)


We present Onion ORAM, an Oblivious RAM (ORAM) with constant worst-case bandwidth blowup that leverages poly-logarithmic server computation to circumvent the logarithmic lower bound on ORAM bandwidth blowup. Our construction does not require fully homomorphic encryption, but employs an additively homomorphic encryption scheme such as the Damgård-Jurik cryptosystem, or alternatively a BGV-style somewhat homomorphic encryption scheme without bootstrapping. At the core of our construction is an ORAM scheme that has “shallow circuit depth” over the entire history of ORAM accesses. We also propose novel techniques to achieve security against a malicious server, without resorting to expensive and non-standard techniques such as SNARKs. To the best of our knowledge, Onion ORAM is the first concrete instantiation of a constant bandwidth blowup ORAM under standard assumptions (even for the semi-honest setting).


Data Block Server Computation Homomorphic Encryption Chunk Size Select Operation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank Vinod Vaikuntanathan for helpful discussion on this work.


  1. 1.
    Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  2. 2.
    Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: FOCS (1991)Google Scholar
  3. 3.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13, 143–202 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS (2001)Google Scholar
  6. 6.
    Damgard, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Dautrich, J., Ravishankar, C.: Combining ORAM with PIR to minimize bandwidth costs. In: CODASPY (2015)Google Scholar
  8. 8.
    Dautrich, J., Stefanov, E., Shi, E.: Burst ORAM: Minimizing ORAM response times for bursty access patterns. In: USENIX Security (2014)Google Scholar
  9. 9.
    Devadas, S., van Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. Cryptology ePrint Archive, Report 2015/005 (2015)Google Scholar
  10. 10.
    Fletcher, C., Ren, L., Kwon, A., van Dijk, M., Devadas, S.: Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In: ASPLOS (2015)Google Scholar
  11. 11.
    Fletcher, C., Ren, L., Kwon, A., Van Dijk, M., Stefanov, E., Serpanos, D., Devadas, S.: A low-latency, low-area hardware oblivious RAM controller. In: FCCM (2015)Google Scholar
  12. 12.
    Fletcher, C., van Dijk, M., Devadas, S.: Secure processor architecture for encrypted computation on untrusted programs. In: STC (2012)Google Scholar
  13. 13.
    Gentry, C., Goldman, K.A., Halevi, S., Julta, C., Raykova, M., Wichs, D.: Optimizing ORAM and using it efficiently for secure computation. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 1–18. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with he-over-oram architecture. Cryptology ePrint Archive, Report 2014/345Google Scholar
  15. 15.
    Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  16. 16.
    Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: FOCS (2014)Google Scholar
  17. 17.
    Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) Public Key Cryptography – PKC 2012. LNCS, vol. 7293. Springer, Heidelberg (2012)Google Scholar
  18. 18.
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC (2011)Google Scholar
  19. 19.
    Goldreich, O.: Towards a theory of software protection and simulation on Oblivious RAMs. In: STOC (1987)Google Scholar
  20. 20.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43, 431–473 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious RAM simulation. In: SODA (2012)Google Scholar
  22. 22.
    Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015)Google Scholar
  23. 23.
    Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Keller, M., Scholl, P.: Efficient, Oblivious data structures for MPC. Cryptology ePrint Archive, Report 2014/137 (2014)Google Scholar
  25. 25.
    Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in) security of hash-based oblivious RAM and a new balancing scheme. In: SODA (2012)Google Scholar
  26. 26.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  27. 27.
    Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Liu, Y. Huang, E. Shi, J. Katz, and M. Hicks. Automating efficient RAM-model secure computation. In: Oakland (2014)Google Scholar
  29. 29.
    Lorch, J.R., Parno, B., Mickens, J. W., Raykova, M., Schiffman, J.: Shroud: ensuring private access to large-scale data in the data center. In: FAST (2013)Google Scholar
  30. 30.
    Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  31. 31.
    Maas, M., Love, E., Stefanov, E., Tiwari, M., Shi, E., Asanovic, K., Kubiatowicz, J., Song, D.: Phantom: practical oblivious computation in a secure processor. In: CCS (2013)Google Scholar
  32. 32.
    Mayberry, T., Blass, E.-O., Chan, A. H.: Efficient private file retrieval by combining ORAM and PIR. In: NDSS (2014)Google Scholar
  33. 33.
    Merkle, R.C.: Protocols for public key cryptography. In: Oakland (1980)Google Scholar
  34. 34.
    Miller, A., Hicks, M., Katz, J., Shi, E.: Authenticated data structures, generically. In: POPL (2014)Google Scholar
  35. 35.
    Moataz, T., Mayberry, T., Blass, E.-O.: Constant communication oblivious RAM. Cryptology ePrint Archive, Report 2015/570 (2015)Google Scholar
  36. 36.
    Ostrovsky, R.: Efficient computation on oblivious RAMs. In: STOC (1990)Google Scholar
  37. 37.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592. Springer, Heidelberg (1999)Google Scholar
  38. 38.
    Ren, L., Fletcher, C., Yu, X., van Dijk, M., Devadas, S.: Integrity verification for path oblivious-RAM. In: HPEC (2013)Google Scholar
  39. 39.
    Ren, L., Fletcher, C.W., Kwon, A., Stefanov, E., Shi, E., Dijk, M.V., Devadas, S.: Constants count: practical improvements to oblivious RAM. In: USENIX Security (2015)Google Scholar
  40. 40.
    Ren, L., Yu, X., Fletcher, C., van Dijk, M., Devadas, S.: Design space exploration and optimization of path oblivious RAM in secure processors. In: ISCA (2013)Google Scholar
  41. 41.
    Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)\(^3\)) Worst-Case Cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  42. 42.
    Stefanov, E., Shi, E.: Oblivistore: high performance oblivious cloud storage. In: S&P (2013)Google Scholar
  43. 43.
    Stefanov, E., Shi, E., Song, D.: Towards practical oblivious RAM. In: NDSS (2012)Google Scholar
  44. 44.
    Stefanov, E., van Dijk, M., Shi, E., Chan, T.-H.H., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. Cryptology ePrint Archive, Report 2013/280Google Scholar
  45. 45.
    Stefanov, E., van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. In: CCS (2013)Google Scholar
  46. 46.
    Wang, X., Nayak, K., Liu, C., Shi, E., Stefanov, E., Huang, Y.: Oblivious data structures. In: IACR (2014)Google Scholar
  47. 47.
    Wang, X.S., Chan, T.-H.H., Shi, E.: Circuit ORAM: On tightness of the Goldreich-Ostrovsky lower bound. Cryptology ePrint Archive, Report 2014/672Google Scholar
  48. 48.
    Wang, X.S., Huang, Y., Chan, T.-H.H., Shelat, A., Shi, E.: Scoram: oblivious ram for secure computation. In: CCS (2014)Google Scholar
  49. 49.
    Williams, P., Sion, R.: Single round access privacy on outsourced storage. In: CCS (2012)Google Scholar
  50. 50.
    Williams, P., Sion, R., Tomescu, A.: Privatefs: a parallel oblivious file system. In: CCS (2012)Google Scholar
  51. 51.
    Yu, X., Fletcher, C.W., Ren, L., van Dijk, M., Devadas, S.: Generalized external interaction with tamper-resistant hardware with bounded information leakage. In: CCSW (2013)Google Scholar
  52. 52.
    Zhang, J., Ma, Q., Zhang, W., Qiao, D.: Kt-oram: a bandwidth-efficient ORAM built on k-ary tree of pir nodes. Cryptology ePrint Archive, Report 2014/624 (2014)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Srinivas Devadas
    • 1
  • Marten van Dijk
    • 2
  • Christopher W. Fletcher
    • 1
    Email author
  • Ling Ren
    • 1
    Email author
  • Elaine Shi
    • 3
  • Daniel Wichs
    • 4
  1. 1.Massachusetts Institute of TechnologyCambridgeUSA
  2. 2.University of ConnecticutStorrsUSA
  3. 3.Cornell UniversityIthacaUSA
  4. 4.Northeastern UniversityBostonUSA

Personalised recommendations