Abstract
We present the first Oblivious RAM (ORAM) construction that for N memory blocks supports accesses with worst-case \(O(\log N)\) overhead for any block size \(\varOmega (\log N)\) while requiring a client memory of only a constant number of memory blocks. We rely on the existence of one-way functions and guarantee computational security. Our result closes a long line of research on fundamental feasibility results for ORAM constructions as logarithmic overhead is necessary.
The previous best logarithmic overhead construction only guarantees it in an amortized sense, i.e., logarithmic overhead is achieved only for long enough access sequences, where some of the individual accesses incur \(\varTheta (N)\) overhead. The previously best ORAM in terms of worst-case overhead achieves \(O(\log ^2 N/\log \log N)\) overhead.
Technically, we design a novel de-amortization framework for modern ORAM constructions that use the “shuffled inputs” assumption. Our framework significantly departs from all previous de-amortization frameworks, originating from Ostrovsky and Shoup (STOC ’97), that seem to be fundamentally too weak to be applied on modern ORAM constructions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The lower bounds of [23, 25] only apply to “online” ORAMs which support operations that come in an online fashion, one by one. These lower bounds even apply to computationally secure constructions. There is a logarithmic lower bound for “offline” ORAMs which see the whole set of operations ahead of time due to Goldreich and Ostrovsky [17], but it only applies to statistically secure constructions in the balls-and-bins model (see Boyle and Naor [5]).
- 2.
- 3.
The actual number of real blocks may be smaller if the requests keep asking for the same block or a small set of blocks. The maximum load is achieved when the ORAM requests cycle through addresses \(1, 2, \ldots , N\) in a round-robin fashion.
- 4.
One could easily modify our algorithm to work more generally for a list \(X_2\) of size m which has at least n dummies and result with an array of size m. We chose to be concrete for simplicity.
- 5.
Note that this implies that we run \({\mathsf{poly}} \log \log N\) work per each access for the first level.
References
Ajtai, M., Komlós, J., Szemerédi, E.: An \(O(n \log n)\) sorting network. In: ACM STOC, pp. 1–9 (1983)
Asharov, G., Komargodski, I., Lin, W.-K., Nayak, K., Peserico, E., Shi, E.: OptORAMa: optimal oblivious RAM. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 403–432. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_14
Asharov, G., Komargodski, I., Lin, W., Peserico, E., Shi, E.: Optimal oblivious parallel RAM. IACR ePrint Archive 2020, 1292 (2020)
Bindschaedler, V., Naveed, M., Pan, X., Wang, X., Huang, Y.: Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In: ACM CCS, pp. 837–849 (2015)
Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: ITCS, pp. 357–368 (2016)
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: CCS, pp. 668–679 (2015)
Chan, T.-H.H., Guo, Y., Lin, W.-K., Shi, E.: Oblivious hashing revisited, and applications to asymptotically efficient ORAM and OPRAM. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 660–690. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_23
Chan, T.-H.H., Nayak, K., Shi, E.: Perfectly secure oblivious parallel RAM. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 636–668. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_23
Hubert Chan, T.-H., Shi, E.: Circuit OPRAM: unifying statistically and computationally secure ORAMs and OPRAMs. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 72–107. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_3
Chung, K.-M., Liu, Z., Pass, R.: Statistically-secure ORAM with \(\tilde{O}(\log ^2 n)\) overhead. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 62–81. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_4
Dittmer, S., Ostrovsky, R.: Oblivious tight compaction in \(o(n)\) time with smaller constant. In: SCN, pp. 253–274 (2020)
Fletcher, C.W., Dijk, M.V., Devadas, S.: A secure processor architecture for encrypted computation on untrusted programs. In: ACM Workshop on Scalable Trusted Computing, pp. 3–8 (2012)
Fletcher, C.W., Ren, L., Kwon, A., van Dijk, M., Devadas, S.: Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In: ASPLOS, pp. 103–116 (2015)
Fredman, M.L., Willard, D.E.: Surpassing the information theoretic bound with fusion trees. J. Comput. Syst. Sci. 47(3), 424–436 (1993)
Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with HE-over-ORAM architecture. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 172–191. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_9
Goldreich, O.: Towards a theory of software protection and simulation by oblivious rams. In: ACM STOC, pp. 182–194 (1987)
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996)
Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22012-8_46
Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Oblivious ram simulation with efficient worst-case access overhead. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 95–100 (2011)
Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious RAM simulation. In: SODA, pp. 157–167 (2012)
Grubbs, P., McPherson, R., Naveed, M., Ristenpart, T., Shmatikov, V.: Breaking web applications built on top of encrypted data. In: CCS, pp. 1353–1364 (2016)
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: 19th Annual Network and Distributed System Security Symposium, NDSS (2012)
Komargodski, I., Lin, W.: Lower bound for oblivious RAM with large cells. IACR Cryptology ePrint Archive 2020, 1132 (2020)
Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in)security of hash-based oblivious RAM and a new balancing scheme. In: SODA, pp. 143–156 (2012)
Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound! In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_18
Liu, C., Wang, X.S., Nayak, K., Huang, Y., Shi, E.: ObliVM: a programming framework for secure computation. In: IEEE S&P (2015)
Lu, S., Ostrovsky, R.: Distributed oblivious RAM for secure two-party computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 377–396. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_22
Maas, M., et al.: PHANTOM: practical oblivious computation in a secure processor. In: ACM CCS, pp. 311–324 (2013)
Ostrovsky, R., Shoup, V.: Private information storage. In: ACM STOC, pp. 294–303 (1997)
Patel, S., Persiano, G., Raykova, M., Yeo, K.: Panorama: oblivious RAM with logarithmic overhead. In: IEEE FOCS (2018)
Ren, L., Yu, X., Fletcher, C.W., van Dijk, M., Devadas, S.: Design space exploration and optimization of path oblivious RAM in secure processors. In: The 40th Annual International Symposium on Computer Architecture, ISCA, pp. 571–582 (2013)
Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)\(^{3}\)) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_11
Stefanov, E., et al.: Path ORAM: an extremely simple oblivious RAM protocol. In: ACM CCS, pp. 299–310 (2013)
Stefanov, E., Shi, E.: ObliviStore: high performance oblivious cloud storage. In: IEEE S&P, pp. 253–267 (2013)
Stefanov, E., Shi, E., Song, D.X.: Towards practical oblivious RAM. In: NDSS (2012)
Thorup, M.: Randomized sorting in O(n log log n) time and linear space using addition, shift, and bit-wise Boolean operations. J. Algorithms 42(2), 205–230 (2002)
Wang, X., Chan, T.H., Shi, E.: Circuit ORAM: on tightness of the Goldreich-Ostrovsky lower bound. In: ACM CCS, pp. 850–861 (2015)
Wang, X.S., Huang, Y., Chan, T.H., Shelat, A., Shi, E.: SCORAM: oblivious RAM for secure computation. In: ACM CCS, pp. 191–202 (2014)
Williams, P., Sion, R., Tomescu, A.: PrivateFS: a parallel oblivious file system. In: ACM CCS (2012)
Zahur, S., et al.: Revisiting square-root ORAM: efficient random access in multi-party computation. In: IEEE S&P, pp. 218–234 (2016)
Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: The power of file-injection attacks on searchable encryption. In: USENIX, pp. 707–720 (2016)
Acknowledgments
This work is supported in part by a DARPA Brandeis award, by NSF under the award numbers CNS-1601879, CNS-2044679, by Packard Fellowship, an ONR YIP award, by the Israel Science Foundation (grants No. 2439/20 and 1774/20), by an Alon Young Faculty Fellowship, and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 891234.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Figures
Figures
The rebuild process of [3]: The first three levels are “full” and the forth is the first level which is “half full”. Each level is pushed down, while levels 3 and 4 are merged. After this operation, the first level is empty, two levels are “half full” and the last level is full.
The Rebuild process (for levels i and \(i+1\)), demonstrating which table is being rebuilt at each stage and which tables we lookup in with each access. The timeline goes left-to-right, each colored box is rebuilding the enclosed table, and the left/right side of the box denotes the starting/ending time of the rebuild. Notice that the rebuild at level \(i+1\) changes the status in both levels i and \(i+1\), e.g., the starting of \(\mathsf{B}_{i+1}^\mathsf{F}\) (on the bottom-right) switches both \(\mathsf{B}_i\) and \(\mathsf{B}_{i+1}\) to \(\mathtt{Null}\), and its ending assigns \(\mathsf{B}_{i+1} ~\mathsf{:=}~ \mathsf{B}_{i+1}^\mathsf{F}\).
The rebuilding process. \(\mathsf{A}_i^\mathsf{HF}\) and \(\mathsf{A}_i^\mathsf{F}\) are both shown in the same table, likewise \(\mathsf{B}_i^\mathsf{HF}\) and \(\mathsf{B}_i^\mathsf{F}\). (Color figure online)
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Asharov, G., Komargodski, I., Lin, WK., Shi, E. (2021). Oblivious RAM with Worst-Case Logarithmic Overhead. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12828. Springer, Cham. https://doi.org/10.1007/978-3-030-84259-8_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-84259-8_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84258-1
Online ISBN: 978-3-030-84259-8
eBook Packages: Computer ScienceComputer Science (R0)
