Abstract
Oblivious RAM (ORAM) has established itself as a fundamental cryptographic building block. Understanding which bandwidth overheads are possible under which assumptions has been the topic of a vast amount of previous works. In this work, we focus on perfectly secure ORAM and we present the first construction with sublinear bandwidth overhead in the worst-case. All prior constructions with perfect security require linear communication overhead in the worst-case and only achieve sublinear bandwidth overheads in the amortized sense. We present a fundamentally new approach for constructing ORAM and our results significantly advance our understanding of what is possible with perfect security.
Our main construction, Lookahead ORAM, is perfectly secure, has a worst-case bandwidth overhead of 
, and a total storage cost of 
on the server-side, where N is the maximum number of stored data elements. In terms of concrete server-side storage costs, our construction has the smallest storage overhead among all perfectly and statistically secure ORAMs and is only a factor 3 worse than the most storage efficient computationally secure ORAM. Assuming a client-side position map, our construction is the first, among all ORAMs with worst-case sublinear overhead, that allows for a 
online bandwidth overhead without server-side computation. Along the way, we construct a conceptually extremely simple statistically secure ORAM with a worst-case bandwidth overhead of 
, which may be of independent interest.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For a larger data block size of
they even achieve an overhead of 
data blocks. - 2.
Our main construction is using randomness exclusively for the sake of security, but not for efficiency. We believe this is unavoidable.
- 3.
Our estimate of Chan et al.’s construction is computed by instantiating it with Batcher’s Bitonic sort [Bat68] and a hidden constant of 1. For our construction we took the concrete parameters one obtains assuming a server-side position map.
- 4.
This worst-case complexity is slightly different from the original paper. The paper has a superlinear worst-case overhead due to an expensive reshuffling phase, but when splitting shuffling over \(\sqrt{N}\) accesses, one can achieve the stated complexity.
- 5.
One may even say they look matrix shaped.
they even achieve an overhead of 
data blocks.References
Asharov, G., Komargodski, I., Lin, W.-K., Nayak, K., Peserico, E., Shi, E.: Optorama: Optimal oblivious ram. Cryptology ePrint Archive, Report 2018/892 (2018). https://eprint.iacr.org/2018/892
Ajtai, M., Komlós, J., Szemerédi, E.: An 0(n log n) sorting network. In: Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC 1983, New York, NY, USA, pp. 1–9. ACM (1983)
Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_8
Batcher, K.E.: Sorting networks and their applications. In: Proceedings of the April 30-May 2, 1968, Spring Joint Computer Conference, AFIPS 1968 (Spring), New York, NY, USA, pp. 307–314. ACM (1968)
Boneh, D., Mazieres, D., Popa, R.A.: Making oblivious ram practical, Remote oblivious storage (2011)
Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: Sudan, M. (ed.) ITCS 2016: 7th Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, 14–16 January 2016, pp. 357–368. Association for Computing Machinery (2016)
Chan, T.-H.H., Katz, J., Nayak, K., Polychroniadou, A., Shi, E.: More is less: perfectly secure oblivious algorithms in the multi-server setting. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 158–188. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_7
Chan, T.-H.H., Nayak, K., Shi, E.: Perfectly secure oblivious parallel RAM. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 636–668. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_23
Devadas, S., van Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 145–174. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_6
Damgård, I., Meldgaard, S., Nielsen, J.B.: Perfectly secure oblivious RAM without random oracles. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 144–163. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_10
Demertzis, I., Papadopoulos, D., Papamanthou, C.: Searchable encryption with optimal locality: achieving sublogarithmic read efficiency. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 371–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_13
Dautrich, J., Stefanov, E., Shi, E.: Burst oram: minimizing oram response times for bursty access patterns. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 749–764 (2014)
Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Oblivious ram simulation with efficient worst-case access overhead. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 95–100. ACM (2011)
Gordon, S., Miyaji, A., Su, C., Sumongkayothin, K.: M-ORAM: a matrix ORAM with log N bandwidth cost. In: Kim, H., Choi, D. (eds.) WISA 2015. LNCS, vol. 9503, pp. 3–15. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31875-2_1
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM (JACM) 43(3), 431–473 (1996)
Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs. In: Aho, A., (ed.) 19th Annual ACM Symposium on Theory of Computing, New York City, NY, USA, 25–27 May 1987, pp. 182–194. ACM Press (1987)
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: ISOC Network and Distributed System Security Symposium - NDSS 2012, San Diego, CA, USA, 5–8 February 2012. The Internet Society (2012)
Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound!. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_18
Mayberry, T., Blass, E.-O., Chan, A.H.: Efficient private file retrieval by combining ORAM and PIR. In: ISOC Network and Distributed System Security Symposium - NDSS 2014, San Diego, CA, USA, 23–26 February 2014. The Internet Society (2014)
Ostrovsky, R., Shoup, V.: Private information storage (extended abstract). In: 29th Annual ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997, pp. 294–303. ACM Press (1997)
Patel, S., Persiano, G., Raykova, M., Yeo, K.: PanORAMa: oblivious RAM with logarithmic overhead. In: Thorup, M. (ed.) 59th Annual Symposium on Foundations of Computer Science, Paris, France, 7–9 October 2018, pp. 871–882. IEEE Computer Society Press (2018)
Ren, L., et al.: Constants count: practical improvements to oblivious ram. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C., pp. 415–430. USENIX Association (2015)
Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)3) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_11
Stefanov, E., Shi, E., Song, D.X.: Towards practical oblivious RAM. In: ISOC Network and Distributed System Security Symposium - NDSS 2012, San Diego, CA, USA, February 5–8, 2012. The Internet Society (2012)
Stefanov, E., et al.: Path ORAM: an extremely simple oblivious RAM protocol. In: Sadeghi, A.-R., Gligor, V.D., Yung, M., (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013, pp. 299–310. ACM Press (2013)
Acknowledgements
Michael Raskin was supported by funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787367 (PaVeS). Mark Simkin was supported by funding from the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation program under grant agreement No 669255 (MPCPRO) and No 731583 (SODA).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Attack on [GMSS16]
A Attack on [GMSS16]
In a work by Gordon et al. [GMSS16] the authors present an ORAM, called M-ORAM. Their construction has a flaw and does not provide obliviousness. In the following, we give a high-level overview of their scheme and sketch our attack that breaks their obliviousness claims.
The construction partitions the server-side storage into a fixed number of rows and a number of columns that depends on the dataset’s size. Every cell in their rectangular storage layout holds one data element. Additionally, every row has its own separate constant-sized stash.
Initially, all data elements are present in the storage rectangle in a randomly permuted order and the stashes are empty. Simply speaking an access is performed by accessing one element in each row of their data structure. In one of the rows the desired element is accessed and in all other rows a uniformly random cell is selected. More precisely, the authors claim that to achieve obliviousness not all “dummy” cells are selected uniformly at random, instead some of them are random cells from the previous access. After retrieving one cell from each row, the client shuffles the cells and puts one cell into each stash. The client picks one random block from each stash and sends it back to the server as the new content of the retrieved cells.
Let \(x_1, \dots , x_N \) be some data elements stored in the ORAM data structure, the access sequences \(\left( \mathsf {read}(x_1), \mathsf {read}(x_2), \mathsf {read}(x_1)\right) \) and \((\mathsf {read}(x_1), \mathsf {read}(x_2), \mathsf {read}(x_3))\) can be distinguished with a success probability that is non-negligible in the security parameter. From a high-level perspective, every access selects a subset of cells from the data structure and every two subsets corresponding to two consecutive accesses intersect at some random cells. For three accesses the proposed approach breaks down. Looking at our first access sequence, the proposed construction has a slightly higher bias of the first and third access subset intersecting, since we are accessing the same element.
We have contacted the authors and they have acknowledged our attack.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Raskin, M., Simkin, M. (2019). Perfectly Secure Oblivious RAM with Sublinear Bandwidth Overhead. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11922. Springer, Cham. https://doi.org/10.1007/978-3-030-34621-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-34621-8_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34620-1
Online ISBN: 978-3-030-34621-8
eBook Packages: Computer ScienceComputer Science (R0)
