Abstract
An Oblivious RAM (ORAM), introduced by Goldreich and Ostrovsky (J. ACM 1996), is a (probabilistic) RAM that hides its access pattern, i.e., for every input the observed locations accessed are similarly distributed. In recent years there has been great progress both in terms of upper bounds as well as in terms of lower bounds, essentially pinning down the smallest overhead possible in various settings of parameters.
We observe that there is a very natural setting of parameters in which no non-trivial lower bound is known, even not ones in restricted models of computation (like the so called balls and bins model). Let N and \({\boldsymbol{w}}\) be the number of cells and bit-size of cells, respectively, in the RAM that we wish to simulate obliviously. Denote by \({\boldsymbol{b}}\) the cell bit-size of the ORAM. All previous ORAM lower bounds have a multiplicative \({\boldsymbol{w}}/{\boldsymbol{b}}\) factor which makes them trivial in many settings of parameters of interest.
In this work, we prove a new ORAM lower bound that captures this setting (and in all other settings it is at least as good as previous ones, quantitatively). We show that any ORAM must make (amortized)
memory probes for every logical operation. Here, m denotes the bit-size of the local storage of the ORAM. Our lower bound implies that logarithmic overhead in accesses is necessary, even if \( {\boldsymbol{b}}\gg {\boldsymbol{w}}\). Our lower bound is tight for all settings of parameters, up to the \(\log ({\boldsymbol{b}}/{\boldsymbol{w}})\) factor. Our bound also extends to the non-colluding multi-server setting.
As an application, we derive the first (unconditional) separation between the overhead needed for ORAMs in the online vs. offline models. Specifically, we show that when \({\boldsymbol{w}}=\log N\) and , there exists an offline ORAM that makes (on average) o(1) memory probes per logical operation while every online one must make \(\varOmega (\log N/\log \log N)\) memory probes per logical operation. No such previous separation was known for any setting of parameters, not even in the balls and bins model.
The full version is posted on Cryptology ePrint Archive, Report 2020/1132 [29].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Throughout this paper, unless otherwise stated, \(\log \) stands for \(\log _2\).
- 3.
In the balls and bins model, items are modeled as “balls”, CPU registers and server-side data storage locations are modeled as “bins”, and the set of allowed data operations consists only of moving balls between bins. See the full version [29] for the definition of the model.
- 4.
Chan et al. [11]’s algorithm has the same asymptotic efficiency and it is additionally in the balls and bins model.
- 5.
- 6.
We believe that the \(\log ({\boldsymbol{b}}/{\boldsymbol{w}})\) factor is necessary in the lower bound, at least for some range of parameters. Specifically, when \({\boldsymbol{b}},m\in N^{\varTheta (1)}\) and \({\boldsymbol{w}}= \log N\), by re-parameterizing Path ORAM [50], we obtain an ORAM with O(1) I/O efficiency.
- 7.
The lower bound of Persiano and Yeo [43] also looses the \({\boldsymbol{w}}/{\boldsymbol{b}}\) factor, similarly to Larsen and Nielsen. Specifically, it is \(\varOmega (({\boldsymbol{w}}/{\boldsymbol{b}}) \cdot \log (N / m))\) which is trivial if \({\boldsymbol{b}}\gg {\boldsymbol{w}}\). It is an open problem to improve their lower bound in the setting where \({\boldsymbol{b}}\gg {\boldsymbol{w}}\).
- 8.
In fact, as mentioned we will need to consider an augmented sequence that has a padding sequence of \({\mathsf {read}} \)s from some fixed address in between the \({\mathsf {write}} \) sequence and the \({\mathsf {read}} \) sequence mentioned above. This will complicate the argument slightly so for simplicity we ignore it here.
- 9.
Notice that \({\mathsf {Cells}} (Y \mid X)\) is a set of addresses, whereas \(\mathsf {Access}(X \Vert Y)\) is a sequence of addresses.
References
Abraham, I., Fletcher, C.W., Nayak, K., Pinkas, B., Ren, L.: Asymptotically tight bounds for composing ORAM with PIR. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 91–120. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_5
Aggarwal, A., Vitter, J.S.: The input/output complexity of sorting and related problems. Commun. ACM 31(9), 1116–1127 (1988)
Asharov, G., Komargodski, I., Lin, W.-K., Nayak, K., Peserico, E., Shi, E.: OptORAMa: optimal oblivious RAM. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 403–432. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_14
Bindschaedler, V., Naveed, M., Pan, X., Wang, X., Huang, Y.: Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In: ACM CCS, pp. 837–849 (2015)
Boyle, E., Chung, K.-M., Pass, R.: Large-scale secure computation: multi-party computation for (parallel) RAM programs. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 742–762. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_36
Boyle, E., Chung, K.-M., Pass, R.: Oblivious parallel RAM and applications. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 175–204. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_7
Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: ITCS (2016)
Cash, D., Drucker, A., Hoover, A.: A lower bound for one-round oblivious RAM. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 457–485. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_16
Cash, D., Küpçü, A., Wichs, D.: Dynamic proofs of retrievability via oblivious RAM. J. Cryptol. 30(1), 22–57 (2017)
Chan, T.-H.H., Guo, Y., Lin, W.-K., Shi, E.: Oblivious hashing revisited, and applications to asymptotically efficient ORAM and OPRAM. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 660–690. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_23
Chan, T.H., Guo, Y., Lin, W., Shi, E.: Cache-oblivious and data-oblivious sorting and applications. In: SODA, pp. 2201–2220 (2018)
Damgård, I., Meldgaard, S., Nielsen, J.B.: Perfectly secure oblivious RAM without random oracles. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 144–163. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_10
Devadas, S., van Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 145–174. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_6
Farhadi, A., Hajiaghayi, M., Larsen, K.G., Shi, E.: Lower bounds for external memory integer sorting via network coding. In: STOC (2019)
Fletcher, C.W., Dijk, M.V., Devadas, S.: A secure processor architecture for encrypted computation on untrusted programs. In: Proceedings of the Seventh ACM Workshop on Scalable Trusted Computing, pp. 3–8. ACM (2012)
Fletcher, C.W., Ren, L., Kwon, A., van Dijk, M., Devadas, S.: Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In: ASPLOS (2015)
Floyd, R.W.: Permuting information in idealized two-level storage. In: Miller, R.E., Thatcher, J.W., Bohlinger, J.D. (eds.) Complexity of Computer Computations. The IBM Research Symposia Series, pp. 105–109. Springer, Boston (1972). https://doi.org/10.1007/978-1-4684-2001-2_10
Fredman, M.L., Saks, M.E.: The cell probe complexity of dynamic data structures. In: STOC. ACM (1989)
Gentry, C., Goldman, K.A., Halevi, S., Julta, C.S., Raykova, M., Wichs, D.: Optimizing ORAM and using it efficiently for secure computation. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 1–18. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39077-7_1
Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with HE-over-ORAM architecture. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 172–191. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_9
Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: FOCS (2014)
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996)
Goodrich, M.T.: Data-oblivious external-memory algorithms for the compaction, selection, and sorting of outsourced data. In: SPAA (2011)
Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22012-8_46
Gordon, S.D., et al.: Secure two-party computation in sublinear (amortized) time. In: CCS (2012)
Hubáček, P., Koucký, M., Král, K., Slívová, V.: Stronger lower bounds for online ORAM. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 264–284. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_10
Jacob, R., Larsen, K.G., Nielsen, J.B.: Lower bounds for oblivious data structures. In: SODA (2019)
Jafargholi, Z., Larsen, K.G., Simkin, M.: Optimal oblivious priority queues. In: SODA (2021)
Komargodski, I., Lin, W.K.: A logarithmic lower bound for oblivious RAM (for all parameters). Cryptology ePrint Archive, Report 2020/1132 (2020)
Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in)security of hash-based oblivious RAM and a new balancing scheme. In: SODA (2012)
Larsen, K.G.: The cell probe complexity of dynamic range counting. In: STOC (2012)
Larsen, K.G., Malkin, T., Weinstein, O., Yeo, K.: Lower bounds for oblivious near-neighbor search. In: SODA (2020)
Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound! In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_18
Larsen, K.G., Simkin, M., Yeo, K.: Lower bounds for multi-server oblivious RAMs. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 486–503. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_17
Larsen, K.G., Weinstein, O., Yu, H.: Crossing the logarithmic barrier for dynamic boolean data structure lower bounds. In: 2018 Information Theory and Applications Workshop, ITA, pp. 1–40 (2018)
Lin, W., Shi, E., Xie, T.: Can we overcome the n log n barrier for oblivious sorting? In: SODA (2019)
Liu, C., Wang, X.S., Nayak, K., Huang, Y., Shi, E.: ObliVM: A programming framework for secure computation. In: IEEE S&P (2015)
Lu, S., Ostrovsky, R.: Distributed oblivious RAM for secure two-party computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 377–396. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_22
Maas, M., et al.: PHANTOM: practical oblivious computation in a secure processor. In: ACM CCS (2013)
Ostrovsky, R., Shoup, V.: Private information storage (extended abstract). In: STOC (1997)
Patel, S., Persiano, G., Raykova, M., Yeo, K.: PanORAMa: oblivious RAM with logarithmic overhead. In: FOCS (2018)
Patel, S., Persiano, G., Yeo, K.: Lower bounds for encrypted multi-maps and searchable encryption in the leakage cell probe model. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 433–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_15
Persiano, G., Yeo, K.: Lower bounds for differentially private RAMs. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 404–434. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_14
Pǎtraşcu, M., Demaine, E.D.: Logarithmic lower bounds in the cell-probe model. SIAM J. Comput. 35(4), 932–963 (2006)
Ren, L., et al.: Constants count: practical improvements to oblivious RAM. In: USENIX Security (2015)
Ren, L., Yu, X., Fletcher, C.W., van Dijk, M., Devadas, S.: Design space exploration and optimization of path oblivious RAM in secure processors. In: ISCA (2013)
Shi, E.: Path oblivious heap: optimal and practical oblivious priority queue. In: S&P (2020)
Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with \(O(({\rm log}\, N)^{3})\) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_11
Stefanov, E., et al.: Path ORAM: an extremely simple oblivious RAM protocol. J. ACM 65(4), 18:1–18:26 (2018)
Stefanov, E., et al.: Path ORAM: an extremely simple oblivious RAM protocol. In: CCS (2013)
Stefanov, E., Shi, E.: Oblivistore: high performance oblivious cloud storage. In: IEEE S&P (2013)
Stefanov, E., Shi, E., Song, D.X.: Towards practical oblivious RAM. In: NDSS (2012)
Vitter, J.S.: External memory algorithms and data structures: dealing with massive data. ACM Comput. Surv. 33(2), 209–271 (2001)
Wang, X., Chan, T.H., Shi, E.: Circuit ORAM: on tightness of the goldreich-ostrovsky lower bound. In: CCS (2015)
Wang, X.S., Huang, Y., Chan, T.H., Shelat, A., Shi, E.: SCORAM: oblivious RAM for secure computation. In: ACM CCS, pp. 191–202 (2014)
Wang, X.S., et al.: Oblivious data structures. In: CCS (2014)
Weiss, M., Wichs, D.: Is there an oblivious RAM lower bound for online reads? J. Cryptol. 34(3), 18 (2021)
Williams, P., Sion, R., Tomescu, A.: Privatefs: A parallel oblivious file system. In: ACM CCS (2012)
Yao, A.C.: Should tables be sorted? J. ACM 28(3), 615–628 (1981)
Zahur, S., et al.: Revisiting square-root ORAM: efficient random access in multi-party computation. In: IEEE S&P, pp. 218–234 (2016)
Acknowledgements
The first author thanks Paul Grubbs for a discussion that motivated him to look into the lower bound of [33] more closely. We also thank Elaine Shi for useful discussions. I. K. is supported in part by an Alon Young Faculty Fellowship and by an ISF grant (No. 1774/20). W.-K. L. is supported in part by a DARPA Brandeis award. This work was done partly while W.-K. L. worked at NTT Research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Komargodski, I., Lin, WK. (2021). A Logarithmic Lower Bound for Oblivious RAM (for All Parameters). In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12828. Springer, Cham. https://doi.org/10.1007/978-3-030-84259-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-84259-8_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84258-1
Online ISBN: 978-3-030-84259-8
eBook Packages: Computer ScienceComputer Science (R0)