Abstract
Oblivious RAMs, introduced by Goldreich and Ostrovsky [JACM’96], compile any RAM program into one that is “memory oblivious”, i.e., the access pattern to the memory is independent of the input. All previous ORAM schemes, however, completely break the locality of data accesses (for instance, by shuffling the data to pseudorandom positions in memory).
In this work, we initiate the study of locality-preserving ORAMs—ORAMs that preserve locality of the accessed memory regions, while leaking only the lengths of contiguous memory regions accessed. Our main results demonstrate the existence of a locality-preserving ORAM with poly-logarithmic overhead both in terms of bandwidth and locality. We also study the tradeoff between locality, bandwidth and leakage, and show that any scheme that preserves locality and does not leak the lengths of the contiguous memory regions accessed, suffers from prohibitive bandwidth.
To the best of our knowledge, before our work, the only works combining locality and obliviousness were for symmetric searchable encryption [e.g., Cash and Tessaro (EUROCRYPT’14), Asharov et al. (STOC’16)]. Symmetric search encryption ensures obliviousness if each keyword is searched only once, whereas ORAM provides obliviousness to any input program. Thus, our work generalizes that line of work to the much more challenging task of preserving locality in ORAMs.
G. Asharov—Currently a researcher at JP Morgan AI Research.
K. Nayak and L. Ren—Currently at VMware Research.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Intuitively, a file stores the identifiers of the documents matching a keyword search in SSE schemes.
- 2.
We emphasize that many practical applications leak some more information even when using standard ORAM, e.g., in the form of communication volume. See discussion in below.
- 3.
However, as we shall see, m does not play a role in the lower bound.
References
Bitonic sorter. https://en.wikipedia.org/wiki/Bitonic_sorter. Accessed October 2018
Ajtai, M., Komlós, J., Szemerédi, E.: An \(O(N \log N)\) sorting network. In: ACM Symposium on Theory of Computing (STOC 1983), pp. 1–9 (1983)
Apon, D., Katz, J., Shi, E., Thiruvengadam, A.: Verifiable oblivious storage. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 131–148. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_8
Arge, L., Ferragina, P., Grossi, R., Vitter, J.S.: On sorting strings in external memory (extended abstract). In: ACM Symposium on the Theory of Computing (STOC 1997), pp. 540–548 (1997)
Asharov, G., Chan, T.H.H., Nayak, K., Pass, R., Ren, L., Shi, E.: Locality-preserving oblivious ram. https://eprint.iacr.org/2017/772
Asharov, G., Komargodski, I., Lin, W.K., Nayak, K., Peserico, E., Shi, E.: OptORAMa: optimal oblivious RAM. Cryptology ePrint Archive, Report 2018/892
Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations. In: ACM Symposium on Theory of Computing (STOC 2016), pp. 1101–1114 (2016)
Asharov, G., Segev, G., Shahaf, I.: Tight tradeoffs in searchable symmetric encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_14
Batcher, K.E.: Sorting networks and their applications. In: AFIPS 1968 (1968)
Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: ACM Conference on Innovations in Theoretical Computer Science (ITCS 2016), pp. 357–368 (2016)
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
Cash, D., Jarecki, S., Jutla, C.S., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part 1. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_20
Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_20
Chakraborti, A., Aviv, A.J., Choi, S.G., Mayberry, T., Roche, D.S., Sion, R.: rORAM: efficient range ORAM with \(O(\log ^2 N)\) locality. In: Network and Distributed System Security (NDSS) (2019)
Chan, T.H., Nayak, K., Shi, E.: Perfectly secure oblivious parallel RAM. In: Theory of Cryptography Conference (TCC) (2018)
Chan, T.H., Chung, K.M., Maggs, B., Shi, E.: Foundations of differentially oblivious algorithms. In: Symposium on Discrete Algorithms (SODA) (2019)
Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_33
Chung, K.-M., Liu, Z., Pass, R.: Statistically-secure ORAM with \(\tilde{O}(\log ^2 n)\) overhead. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 62–81. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_4
Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: ACM Conference on Computer and Communications Security (CCS 2006), pp. 79–88 (2006)
Demertzis, I., Papadopoulos, D., Papamanthou, C.: Searchable encryption with optimal locality: achieving sublogarithmic read efficiency. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 371–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_13
Demertzis, I., Papamanthou, C.: Fast searchable encryption with tunable locality. In: SIGMOD Conference, pp. 1053–1067. ACM (2017)
Devadas, S., van Dijk, M., Fletcher, C.W., Ren, L., Shi, E., Wichs, D.: Onion ORAM: a constant bandwidth blowup oblivious RAM. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 145–174. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_6
Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs. In: STOC (1987)
Goldreich, O.: The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press, Cambridge (2004)
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43, 431–473 (1996)
Goodrich, M.T.: Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in \(O(n \log n)\) time. In: STOC (2014)
Goodrich, M.T., Mitzenmacher, M.: Privacy-preserving access of outsourced data via oblivious RAM simulation. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6756, pp. 576–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22012-8_46
Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258–274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_22
Kellaris, G., Kollios, G., Nissim, K., O’Neill, A.: Generic attacks on secure outsourced databases. In: ACM CCS, pp. 1329–1340 (2016)
Kellaris, G., Kollios, G., Nissim, K., O’Neill, A.: Accessing data while preserving privacy. CoRR abs/1706.01552 (2017). http://arxiv.org/abs/1706.01552
Kurosawa, K., Ohtaki, Y.: How to update documents verifiably in searchable symmetric encryption. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 309–328. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_17
Kushilevitz, E., Lu, S., Ostrovsky, R.: On the (in)security of hash-based oblivious RAM and a new balancing scheme. In: SODA (2012)
Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound!. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_18
Patel, S., Persiano, G., Raykova, M., Yeo, K.: Panorama: oblivious RAM with logarithmic overhead. In: FOCS (2018)
Ruemmler, C., Wilkes, J.: An introduction to disk drive modeling. IEEE Comput. 27(3), 17–28 (1994)
Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((log N)3) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_11
Stefanov, E., et al.: Path ORAM - an extremely simple oblivious RAM protocol. In: CCS (2013)
van Liesdonk, P., Sedghi, S., Doumen, J., Hartel, P., Jonker, W.: Computationally efficient searchable symmetric encryption. In: Jonker, W., Petković, M. (eds.) SDM 2010. LNCS, vol. 6358, pp. 87–100. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15546-8_7
Vitter, J.S.: External memory algorithms and data structures. ACM Comput. Surv. 33(2), 209–271 (2001)
Vitter, J.S.: Algorithms and data structures for external memory. Found. Trends Theor. Comput. Sci. 2(4), 305–474 (2006)
Wang, X., Chan, T.H., Shi, E.: Circuit ORAM: on tightness of the Goldreich-Ostrovsky lower bound. In: ACM Conference on Computer and Communications Security, pp. 850–861. ACM (2015)
Wang, X.S., Huang, Y., Chan, T.H.H., Shelat, A., Shi, E.: SCORAM: oblivious RAM for secure computation. In: CCS (2014)
Williams, P., Sion, R.: Usable PIR. In: Network and Distributed System Security Symposium (NDSS) (2008)
Williams, P., Sion, R.: Round-optimal access privacy on outsourced storage. In: ACM Conference on Computer and Communication Security (CCS) (2012)
Williams, P., Sion, R., Carbunar, B.: Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In: CCS, pp. 139–148 (2008)
Acknowledgments
This work was partially supported by a Junior Fellow award from the Simons Foundation to Gilad Asharov. This work was supported in part by NSF grants CNS-1314857, CNS-1514261, CNS-1544613, CNS-1561209, CNS-1601879, CNS-1617676, an Office of Naval Research Young Investigator Program Award, a Packard Fellowship, a Sloan Fellowship, Google Faculty Research Awards, a VMWare Research Award, and a Baidu Faculty Research Award to Elaine Shi. Kartik Nayak was partially supported by a Google Ph.D. Fellowship Award. T.-H. Hubert Chan was partially supported by the Hong Kong RGC under the grant 17200418.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: Locality of Bitonic Sort
A Appendix: Locality of Bitonic Sort
In this section, we first analyze the locality of Bitonic sort, which runs in \(O(n \log ^2 n)\) time.
We call an array of numbers bitonic if it consists of two monotonic sequences, the first one ascending and the other descending, or vice versa. For an array S, we write it as \(\widehat{S}\) if it is bitonic, as \(\overrightarrow{S}\) (resp. \(\overleftarrow{S}\)) if it is sorted in an ascending (resp. descending) order.
The algorithm is based on a “bitonic split” procedure \(\overrightarrow{\mathsf{Split}}\), which receives as input a bitonic sequence \(\widehat{S}\) of length n and outputs a sorted sequence \(\overrightarrow{S}\). \(\overrightarrow{\mathsf{Split}}\) first separates \(\widehat{S}\) into two bitonic sequences \(\widehat{S}_1,\widehat{S}_2\), such that all the elements in \(S_1\) are smaller than all the elements in \(S_2\). It then calls \(\overrightarrow{\mathsf{Split}}\) recursively on each sequence to get a sorted sequence.
Procedure A.1:
\(\overrightarrow{S} = \overrightarrow{\mathsf{Split}}(\widehat{S})\)
-
Let \(\widehat{S}_1 = \left\langle \min (a_0,a_{n/2}), \min (a_1,a_{n/2+1}),\ldots ,\min (a_{n/2-1},a_{n-1}) \right\rangle \).
-
Let \(\widehat{S}_2 = \left\langle \max (a_0,a_{n/2}), \max (a_1,a_{n/2+1}),\ldots ,\max (a_{n/2-1},a_{n-1}) \right\rangle \).
-
\(\overrightarrow{S}_1=\overrightarrow{\mathsf{Split}}({\widehat{S}}_1)\), \(\overrightarrow{S}_2=\overrightarrow{\mathsf{Split}}({\widehat{S}}_2)\) and \(\overrightarrow{S}=(\overrightarrow{S}_1,\overrightarrow{S}_2)\).
Similarly, \(\overleftarrow{S} = \overleftarrow{\mathsf{Split}}(\widehat{S})\) sorts the array in a descending order. We refer to [9] for details.
To sort an array S of n elements, the algorithm first converts S into a bitonic sequence using the \(\mathsf{Split}\) procedures in a bottom up fashion, similar to the structure of merge-sort. Specifically, any size-2 sequence is a bitonic sequence. In each iteration \(i =1,\ldots ,\log n-1\), the algorithm merges each pair of size-\(2^i\) bitonic sequences into a size-\(2^{i+1}\) bitonic sequence. Towards this end, it uses the \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\) alternately, as two sorted sequences \((\overrightarrow{S}_1,\overleftarrow{S}_2)\) form a bitonic sequence. The full bitonic sort algorithm is presented below:
Algorithm A.2:
\(\mathsf{BitonicSort}(S)\)
-
1.
Convert S to a bitonic sequence: For \(i=1,\ldots ,\log n-1\):
-
(a)
Let \(S=({\widehat{S}}_0,\ldots ,{\widehat{S}}_{n/2^i-1})\) be the size-\(2^i\) bitonic sequences from the previous iteration.
-
(b)
For \(j=0,\ldots ,n/2^{i+1}-1\), \({\widehat{B}}_{j} = (\overrightarrow{\mathsf{Split}}({\widehat{S}}_{2j}),\overleftarrow{\mathsf{Split}}({\widehat{S}}_{2j+1}))\).
-
(c)
Set \(S = ({\widehat{B}}_0,\ldots ,{\widehat{B}}_{n/2^{i+1}-1})\).
-
(a)
-
2.
The array \(\widehat{S}\) is now a bitonic sequence. Apply \(\overrightarrow{S}=\overrightarrow{\mathsf{Split}}(\widehat{S})\) to obtain a sorted sequence.
Locality and obliviousness. It is easy to see that the sorting algorithm is oblivious, as all accesses to the memory are independent of the input data. For locality, first note that procedure \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\) are \((2,O(\log n))\)-local. No \(\mathsf{move}\) operations are needed between instances of recursions, as these can be executed one after another as iterations (and using some vacuous reads). Thus, Algorithm A.2 is \((2,O(\log ^2n))\)-local as it runs in \(\log n\) iterations, each invoking \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\). Figure 3 gives a graphic representation of the algorithm for input size 8 and Fig. 4 illustrates its locality. The \((2,O(\log ^2n))\) locality of Bitonic sort is also obvious from the figure.
Remark. Observe that in each pass of \(\overrightarrow{\mathsf{Split}}\) (or \(\overleftarrow{\mathsf{Split}}\)), a min/max operation is a read-compare-write operation. Thus, strictly speaking, each memory location is accessed twice for this operation – once for reading and once for writing. When the write is performed, the read/write head has already moved forward and is thus not writing back to the same two locations that it read from. Going back to the same two locations would incur an undesirable move head operation. However, we can easily convert this into a solution that still preserves (2, O(1))-locality for each pass of \(\overrightarrow{\mathsf{Split}}\) by introducing a slack after every memory location (and thus using twice the amount of storage). In this solution, every memory location \(a_i\) is followed by \(a_i'\); the entire array is stored as \(((a_0, a_0'), \ldots , (a_{n-1}, a_{n-1}'))\) where \(a_i\) stores real blocks and \(a_i'\) is a slack location. When \(a_i\) and \(a_j\) are compared, the results can be written to \(a_i'\) and \(a_j'\) respectively without incurring a move operation. Before starting the next iteration, we can move the data from slack locations to the actual locations in a single pass, thus preserving (2, O(1))-locality for each pass of \(\overrightarrow{\mathsf{Split}}\) (and \(\overleftarrow{\mathsf{Split}}\)).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Asharov, G., Hubert Chan, TH., Nayak, K., Pass, R., Ren, L., Shi, E. (2019). Locality-Preserving Oblivious RAM. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-17656-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17655-6
Online ISBN: 978-3-030-17656-3
eBook Packages: Computer ScienceComputer Science (R0)