# Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM

## Abstract

We present Onion ORAM, an Oblivious RAM (ORAM) with constant worst-case bandwidth blowup that leverages poly-logarithmic server computation to circumvent the logarithmic lower bound on ORAM bandwidth blowup. Our construction does not require fully homomorphic encryption, but employs an additively homomorphic encryption scheme such as the Damgård-Jurik cryptosystem, or alternatively a BGV-style somewhat homomorphic encryption scheme without bootstrapping. At the core of our construction is an ORAM scheme that has “shallow circuit depth” over the entire history of ORAM accesses. We also propose novel techniques to achieve security against a malicious server, without resorting to expensive and non-standard techniques such as SNARKs. To the best of our knowledge, Onion ORAM is the first concrete instantiation of a constant bandwidth blowup ORAM under standard assumptions (even for the semi-honest setting).

## Keywords

Data Block Server Computation Homomorphic Encryption Chunk Size Select Operation## Notes

### Acknowledgements

We thank Vinod Vaikuntanathan for helpful discussion on this work.

## References

- 1.Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014)CrossRefGoogle Scholar
- 2.Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: FOCS (1991)Google Scholar
- 3.Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 4.Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol.
**13**, 143–202 (2000)MathSciNetCrossRefzbMATHGoogle Scholar - 5.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS (2001)Google Scholar
- 6.Damgard, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 7.Dautrich, J., Ravishankar, C.: Combining ORAM with PIR to minimize bandwidth costs. In: CODASPY (2015)Google Scholar
- 8.Dautrich, J., Stefanov, E., Shi, E.: Burst ORAM: Minimizing ORAM response times for bursty access patterns. In: USENIX Security (2014)Google Scholar
- 9.Devadas, S., van Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. Cryptology ePrint Archive, Report 2015/005 (2015)Google Scholar
- 10.Fletcher, C., Ren, L., Kwon, A., van Dijk, M., Devadas, S.: Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In: ASPLOS (2015)Google Scholar
- 11.Fletcher, C., Ren, L., Kwon, A., Van Dijk, M., Stefanov, E., Serpanos, D., Devadas, S.: A low-latency, low-area hardware oblivious RAM controller. In: FCCM (2015)Google Scholar
- 12.Fletcher, C., van Dijk, M., Devadas, S.: Secure processor architecture for encrypted computation on untrusted programs. In: STC (2012)Google Scholar
- 13.Gentry, C., Goldman, K.A., Halevi, S., Julta, C., Raykova, M., Wichs, D.: Optimizing ORAM and using it efficiently for secure computation. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 1–18. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 14.Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with he-over-oram architecture. Cryptology ePrint Archive, Report 2014/345Google Scholar
- 15.Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014)CrossRefGoogle Scholar
- 16.Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: FOCS (2014)Google Scholar
- 17.Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) Public Key Cryptography – PKC 2012. LNCS, vol. 7293. Springer, Heidelberg (2012)Google Scholar
- 18.Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC (2011)Google Scholar
- 19.Goldreich, O.: Towards a theory of software protection and simulation on Oblivious RAMs. In: STOC (1987)Google Scholar
- 20.Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM
**43**, 431–473 (1996)MathSciNetCrossRefzbMATHGoogle Scholar - 21.Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious RAM simulation. In: SODA (2012)Google Scholar
- 22.Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015)Google Scholar
- 23.Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 24.Keller, M., Scholl, P.: Efficient, Oblivious data structures for MPC. Cryptology ePrint Archive, Report 2014/137 (2014)Google Scholar
- 25.Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in) security of hash-based oblivious RAM and a new balancing scheme. In: SODA (2012)Google Scholar
- 26.Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 27.Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005)CrossRefGoogle Scholar
- 28.Liu, Y. Huang, E. Shi, J. Katz, and M. Hicks. Automating efficient RAM-model secure computation. In: Oakland (2014)Google Scholar
- 29.Lorch, J.R., Parno, B., Mickens, J. W., Raykova, M., Schiffman, J.: Shroud: ensuring private access to large-scale data in the data center. In: FAST (2013)Google Scholar
- 30.Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 31.Maas, M., Love, E., Stefanov, E., Tiwari, M., Shi, E., Asanovic, K., Kubiatowicz, J., Song, D.: Phantom: practical oblivious computation in a secure processor. In: CCS (2013)Google Scholar
- 32.Mayberry, T., Blass, E.-O., Chan, A. H.: Efficient private file retrieval by combining ORAM and PIR. In: NDSS (2014)Google Scholar
- 33.Merkle, R.C.: Protocols for public key cryptography. In: Oakland (1980)Google Scholar
- 34.Miller, A., Hicks, M., Katz, J., Shi, E.: Authenticated data structures, generically. In: POPL (2014)Google Scholar
- 35.Moataz, T., Mayberry, T., Blass, E.-O.: Constant communication oblivious RAM. Cryptology ePrint Archive, Report 2015/570 (2015)Google Scholar
- 36.Ostrovsky, R.: Efficient computation on oblivious RAMs. In: STOC (1990)Google Scholar
- 37.Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592. Springer, Heidelberg (1999)Google Scholar
- 38.Ren, L., Fletcher, C., Yu, X., van Dijk, M., Devadas, S.: Integrity verification for path oblivious-RAM. In: HPEC (2013)Google Scholar
- 39.Ren, L., Fletcher, C.W., Kwon, A., Stefanov, E., Shi, E., Dijk, M.V., Devadas, S.: Constants count: practical improvements to oblivious RAM. In: USENIX Security (2015)Google Scholar
- 40.Ren, L., Yu, X., Fletcher, C., van Dijk, M., Devadas, S.: Design space exploration and optimization of path oblivious RAM in secure processors. In: ISCA (2013)Google Scholar
- 41.Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)\(^3\)) Worst-Case Cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 42.Stefanov, E., Shi, E.: Oblivistore: high performance oblivious cloud storage. In: S&P (2013)Google Scholar
- 43.Stefanov, E., Shi, E., Song, D.: Towards practical oblivious RAM. In: NDSS (2012)Google Scholar
- 44.Stefanov, E., van Dijk, M., Shi, E., Chan, T.-H.H., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. Cryptology ePrint Archive, Report 2013/280Google Scholar
- 45.Stefanov, E., van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. In: CCS (2013)Google Scholar
- 46.Wang, X., Nayak, K., Liu, C., Shi, E., Stefanov, E., Huang, Y.: Oblivious data structures. In: IACR (2014)Google Scholar
- 47.Wang, X.S., Chan, T.-H.H., Shi, E.: Circuit ORAM: On tightness of the Goldreich-Ostrovsky lower bound. Cryptology ePrint Archive, Report 2014/672Google Scholar
- 48.Wang, X.S., Huang, Y., Chan, T.-H.H., Shelat, A., Shi, E.: Scoram: oblivious ram for secure computation. In: CCS (2014)Google Scholar
- 49.Williams, P., Sion, R.: Single round access privacy on outsourced storage. In: CCS (2012)Google Scholar
- 50.Williams, P., Sion, R., Tomescu, A.: Privatefs: a parallel oblivious file system. In: CCS (2012)Google Scholar
- 51.Yu, X., Fletcher, C.W., Ren, L., van Dijk, M., Devadas, S.: Generalized external interaction with tamper-resistant hardware with bounded information leakage. In: CCSW (2013)Google Scholar
- 52.Zhang, J., Ma, Q., Zhang, W., Qiao, D.: Kt-oram: a bandwidth-efficient ORAM built on k-ary tree of pir nodes. Cryptology ePrint Archive, Report 2014/624 (2014)Google Scholar