Advertisement

Asymptotically Tight Bounds for Composing ORAM with PIR

  • Ittai Abraham
  • Christopher W. Fletcher
  • Kartik NayakEmail author
  • Benny Pinkas
  • Ling Ren
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10174)

Abstract

Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted client to outsource storage to an untrusted server while hiding the client’s memory access patterns to the server. The last three decades of research on ORAMs have reduced the bandwidth blowup of ORAM schemes from \(O(\sqrt{N})\) to O(1). However, all schemes that achieve a bandwidth blowup smaller than \(O(\log N)\) use expensive computations such as homomorphic encryptions. In this paper, we achieve a sub-logarithmic bandwidth blowup of \(O(\log _{d} N)\) (where d is a free parameter) without using expensive computation. We do so by using a d-ary tree and a two server private information retrieval (PIR) protocol based on inexpensive XOR operations at the servers. We also show a \(\varOmega (\log _{cD} N)\) lower bound on bandwidth blowup in the modified model involving PIR operations. Here, c is the number of blocks stored by the client and D is the number blocks on which PIR operations are performed. Our construction matches this lower bound implying that the lower bound is tight for certain parameter ranges. Finally, we show that C-ORAM (CCS 15) and CHf-ORAM violate the lower bound. Combined with concrete attacks on C-ORAM/CHf-ORAM, we claim that there exist security flaws in these constructions.

Keywords

Access Pattern Homomorphic Encryption Private Information Retrieval Bandwidth Overhead Zero Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

We would like to thank authors of C-ORAM (Tarik Moataz, Travis Mayberry and Erik-Oliver Blass) for discussions and inputs on algorithmic details of C-ORAM. We would like to thank Dahlia Malkhi, Jonathan Katz, Elaine Shi, Hubert Chan and Xiao Wang for helpful discussions on this work. This work is funded in part by NSF awards #1111599, #1563722 and a Google Ph.D. Fellowship award.

References

  1. 1.
    Ajtai, M.: Oblivious RAMs without cryptogrpahic assumptions. In: Proceedings of the forty-second ACM symposium on Theory of computing, pp. 181–190. ACM (2010)Google Scholar
  2. 2.
    Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54631-0_8 CrossRefGoogle Scholar
  3. 3.
    Bindschaedler, V., Naveed, M., Pan, X., Wang, X., Huang, Y.: Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 837–849. ACM (2015)Google Scholar
  4. 4.
    Boyle, E., Chung, K.-M., Pass, R.: Oblivious parallel RAM and applications. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 175–204. Springer, Heidelberg (2016)CrossRefGoogle Scholar
  5. 5.
    Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: Proceedings of the ACM Conference on Innovations in Theoretical Computer Science, pp. 357–368. ACM (2016)Google Scholar
  6. 6.
    Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_28 Google Scholar
  7. 7.
    Chen, B., Lin, H., Tessaro, S.: Oblivious parallel RAM: improved efficiency and generic constructions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 205–234. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49099-0_8 CrossRefGoogle Scholar
  8. 8.
    Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM (JACM) 45(6), 965–981 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Chung, K.-M., Liu, Z., Pass, R.: Statistically-secure ORAM with \(\tilde{O}(\log ^2 n)\) overhead. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 62–81. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_4 Google Scholar
  10. 10.
    Damgård, I., Meldgaard, S., Nielsen, J.B.: Perfectly secure oblivious RAM without random oracles. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 144–163. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Dautrich, J., Stefanov, E., Shi, E.: Burst ORAM: Minimizing ORAM response times for bursty access patterns. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 749–764 (2014)Google Scholar
  12. 12.
    Devadas, S., Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 145–174. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49099-0_6 CrossRefGoogle Scholar
  13. 13.
    Dvir., Z., Gopi, S.: 2-server PIR with sub-polynomial communication. In: Servedio, R.A., Rubinfeld, R. (eds.) Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC, Portland, OR, USA, 14–17 June, pp. 577–584. ACM (2015)Google Scholar
  14. 14.
    Fletcher, C., Naveed, M., Ren, L., Shi, E., Stefanov, E.: Bucket ORAM: single online roundtrip, constant bandwidth oblivious RAM. Technical report (2015)Google Scholar
  15. 15.
    Fletcher, C.W., Dijk, M.V., Devadas, S.: A secure processor architecture for encrypted computation on untrusted programs. In: Proceedings of the Seventh ACM Workshop on Scalable Trusted Computing, pp. 3–8. ACM (2012)Google Scholar
  16. 16.
    Fletcher, C.W., Ren, L., Kwon, A., van Dijk, M., Devadas, S.: Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In: ACM SIGPLAN Notices, vol. 50, pp. 103–116. ACM (2015)Google Scholar
  17. 17.
    Fletcher, C.W., Ren, L., Kwon, A., van Dijk, M., Stefanov, E., Serpanos, D., Devadas, S.: A low-latency, low-area hardware oblivious RAM controller. In: IEEE 23rd Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), pp. 215–222. IEEE (2015)Google Scholar
  18. 18.
    Garg, S., Mohassel, P., Papamanthou, C., Tworam: Round-optimal oblivious RAM with applications to searchable encryption. Cryptology ePrint Archive, Report 2015/1010 (2015)Google Scholar
  19. 19.
    Gentry, C., Goldman, K.A., Halevi, S., Julta, C., Raykova, M., Wichs, D.: Optimizing ORAM and using it efficiently for secure computation. In: Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 1–18. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39077-7_1 CrossRefGoogle Scholar
  20. 20.
    Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with HE-over-ORAM architecture. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 172–191. Springer, Cham (2015). doi: 10.1007/978-3-319-28166-7_9 CrossRefGoogle Scholar
  21. 21.
    Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs. In: Proceedings of the nineteenth annual ACM symposium on Theory of computing, pp. 182–194. ACM (1987)Google Scholar
  23. 23.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM (JACM) 43(3), 431–473 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22012-8_46 CrossRefGoogle Scholar
  25. 25.
    Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious RAM simulation. In: Proceedings of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 157–167. SIAM (2012)Google Scholar
  26. 26.
    Keller, M., Scholl, P.: Efficient, oblivious data structures for MPC. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 506–525. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_27 Google Scholar
  27. 27.
    Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in)security of hash-based oblivious RAM and a new balancing scheme. In: Proceedings of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 143–156. SIAM (2012)Google Scholar
  28. 28.
    Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, Florida, USA, 19–22 October, pp. 364–373. IEEE Computer Society (1997)Google Scholar
  29. 29.
    Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005). doi: 10.1007/11556992_23 CrossRefGoogle Scholar
  30. 30.
    Liu, C., Harris, A., Maas, M., Hicks, M., Tiwari, M., Shi, E.: GhostRider: a hardware-software system for memory trace oblivious computation. In: ACM SIGARCH Computer Architecture News, vol. 43, pp. 87–101. ACM (2015)Google Scholar
  31. 31.
    Liu, C., Huang, Y., Shi, E., Katz, J., Hicks, M.: Automating efficient RAM-model secure computation. In: 2014 IEEE Symposium on Security and Privacy, pp. 623–638. IEEE (2014)Google Scholar
  32. 32.
    Liu, C., Wang, X.S., Nayak, K., Huang, Y., Shi, E.: ObliVM: a programming framework for secure computation. In: 2015 IEEE Symposium on Security and Privacy, pp. 359–376. IEEE (2015)Google Scholar
  33. 33.
    Lorch, J.R., Parno, B., Mickens, J., Raykova, M., Schiffman, J.: Shroud: ensuring private access to large-scale data in the data center. In: Presented as part of the 11th USENIX Conference on File and Storage Technologies (FAST 2013), pp. 199–213 (2013)Google Scholar
  34. 34.
    Lu, S., Ostrovsky, R.: Distributed oblivious RAM for secure two-party computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 377–396. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  35. 35.
    Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_42 CrossRefGoogle Scholar
  36. 36.
    Maas, M., Love, E., Stefanov, E., Tiwari, M., Shi, E., Asanovic, K., Kubiatowicz, J., Song, D.: PHANTOM: practical oblivious computation in a secure processor. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 311–324. ACM (2013)Google Scholar
  37. 37.
    Mayberry, T., Blass, E.-O., Chan, A.H.: Efficient private file retrieval by combining ORAM and PIR. In: NDSS, Citeseer (2014)Google Scholar
  38. 38.
    Mitchell, J.C., Zimmerman, J.: Data-oblivious data structures. In: Theoretical Aspects of Computer Science (STACS) (2014)Google Scholar
  39. 39.
    Moataz, T., Blass, E.-O., Mayberry, T.: CHf-ORAM: a constant communication ORAM without homomorphic encryption. Cryptology ePrint Archive, Report 2015/1116 (2015)Google Scholar
  40. 40.
    Moataz, T., Mayberry, T., Blass, E.-O.: Constant communication ORAM with small blocksize. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 862–873. ACM (2015)Google Scholar
  41. 41.
    Ostrovsky, R., Shoup, V.: Private information storage. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing, pp. 294–303. ACM (1997)Google Scholar
  42. 42.
    Pinkas, B., Reinman, T.: Oblivious RAM revisited. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 502–519. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_27 CrossRefGoogle Scholar
  43. 43.
    Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 431–446 (2015)Google Scholar
  44. 44.
    Ren, L., Fletcher, C., Kwon, A., Stefanov, E., Shi, E., Van Dijk, M., Devadas, S., Constants count: practical improvements to oblivious RAM. In 24th USENIX Security Symposium (USENIX Security 15), pp. 415–430 (2015)Google Scholar
  45. 45.
    Ren, L., Fletcher, C.W., Yu, X., Van Dijk, M., Devadas, S.: Integrity verification for path oblivious-ram. In: High Performance Extreme Computing Conference (HPEC). Institute of Electrical and Electronics Engineers (IEEE) (2013)Google Scholar
  46. 46.
    Ren, L., Yu, X., Fletcher, C.W., Van Dijk, M., Devadas, S.: Design space exploration and optimization of path oblivious RAM in secure processors. In: ACM SIGARCH Computer Architecture News, vol. 41, pp. 571–582. ACM (2013)Google Scholar
  47. 47.
    Sahin, C., Zakhary, V., El Abbadi, A., Lin, H.R., Tessaro, S.: TaoStore: overcoming asynchronicity in oblivious data storage. In: IEEE Symposium on Security and Privacy (SP) (2016)Google Scholar
  48. 48.
    Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)3) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_11 CrossRefGoogle Scholar
  49. 49.
    Stefanov, E., Shi, E.: Multi-cloud oblivious storage. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 247–258. ACM (2013)Google Scholar
  50. 50.
    Stefanov, E., Shi, E.: ObliviStore: high performance oblivious cloud storage. In: IEEE Symposium on Security and Privacy (SP), pp. 253–267. IEEE (2013)Google Scholar
  51. 51.
    Stefanov, E., Shi, E., Song, D.X.: Towards practical oblivious RAM. In: NDSS, The Internet Society (2012)Google Scholar
  52. 52.
    Stefanov, E., van Dijk, M., Shi, E., Chan, T.-H.H., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. Cryptology ePrint Archive, Report 2013/280 v. 3 (2013). http://eprint.iacr.org/2013/280
  53. 53.
    Stefanov, E., Van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 299–310. ACM (2013)Google Scholar
  54. 54.
    Wang, X., Chan, H., Shi, E.: Circuit ORAM: on tightness of the Goldreich-Ostrovsky lower bound. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 850–861. ACM (2015)Google Scholar
  55. 55.
    Wang, X.S., Huang, Y., Chan, T.-H.H., Shelat, A., Shi, E.: SCORAM: oblivious RAM for secure computation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 191–202, New York, NY, USA. ACM (2014)Google Scholar
  56. 56.
    Wang, X.S., Nayak, K., Liu, C., Chan, T., Shi, E., Stefanov, E., Huang, Y.: Oblivious data structures. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 215–226. ACM (2014)Google Scholar
  57. 57.
    Williams, P., Sion, R.: SR-ORAM: single round-trip oblivious RAM. ACNS, industrial track, pp. 19–33 (2012)Google Scholar
  58. 58.
    Williams, P., Sion, R., Carbunar, B.: Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 139–148. ACM (2008)Google Scholar
  59. 59.
    Williams, P., Sion, R., Tomescu, A.: PrivateFS: a parallel oblivious file system. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 977–988. ACM (2012)Google Scholar
  60. 60.
    Zahur, S., Wang, X.S., Raykova, M., Gascón, A., Doerner, J., Evans, D., Katz, J.: Revisiting square-root ORAM: efficient random access in multi-party computation. In: IEEE Symposium on Security and Privacy, SP, San Jose, CA, USA, 22–26 May, pp. 218–234 (2016)Google Scholar
  61. 61.
    Zhang, J., Ma, Q., Zhang, W., Qiao, D.: KT-ORAM: a bandwidth-efficient ORAM built on K-ary tree of PIR nodes (2014)Google Scholar
  62. 62.
    Zhang, J., Ma, Q., Zhang, W., Qiao, D.: MSKT-ORAM: a constant bandwidth ORAM without homomorphic encryption. IACR Cryptology ePrint Archive, Report 2016/882 (2016)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Ittai Abraham
    • 1
  • Christopher W. Fletcher
    • 2
  • Kartik Nayak
    • 3
    Email author
  • Benny Pinkas
    • 4
  • Ling Ren
    • 5
  1. 1.VMware ResearchHerzliyaIsrael
  2. 2.University of IllinoisUrbana-ChampaignUSA
  3. 3.University of MarylandCollege ParkUSA
  4. 4.Bar IIan UniversityRamat GanIsrael
  5. 5.MITCambridgeUSA

Personalised recommendations