Locality-Preserving Oblivious RAM

Abstract

Oblivious RAMs, introduced by Goldreich and Ostrovsky [JACM’96], compile any RAM program into one that is “memory oblivious”, i.e., the access pattern to the memory is independent of the input. All previous ORAM schemes, however, completely break the locality of data accesses (for instance, by shuffling the data to pseudorandom positions in memory).

In this work, we initiate the study of locality-preserving ORAMs—ORAMs that preserve locality of the accessed memory regions, while leaking only the lengths of contiguous memory regions accessed. Our main results demonstrate the existence of a locality-preserving ORAM with poly-logarithmic overhead both in terms of bandwidth and locality. We also study the tradeoff between locality, bandwidth and leakage, and show that any scheme that preserves locality and does not leak the lengths of the contiguous memory regions accessed, suffers from prohibitive bandwidth.

To the best of our knowledge, before our work, the only works combining locality and obliviousness were for symmetric searchable encryption [e.g., Cash and Tessaro (EUROCRYPT’14), Asharov et al. (STOC’16)]. Symmetric search encryption ensures obliviousness if each keyword is searched only once, whereas ORAM provides obliviousness to any input program. Thus, our work generalizes that line of work to the much more challenging task of preserving locality in ORAMs.

G. Asharov—Currently a researcher at JP Morgan AI Research.

K. Nayak and L. Ren—Currently at VMware Research.

A Appendix: Locality of Bitonic Sort

In this section, we first analyze the locality of Bitonic sort, which runs in \(O(n \log ^2 n)\) time.

We call an array of numbers bitonic if it consists of two monotonic sequences, the first one ascending and the other descending, or vice versa. For an array S, we write it as \(\widehat{S}\) if it is bitonic, as \(\overrightarrow{S}\) (resp. \(\overleftarrow{S}\)) if it is sorted in an ascending (resp. descending) order.

The algorithm is based on a “bitonic split” procedure \(\overrightarrow{\mathsf{Split}}\), which receives as input a bitonic sequence \(\widehat{S}\) of length n and outputs a sorted sequence \(\overrightarrow{S}\). \(\overrightarrow{\mathsf{Split}}\) first separates \(\widehat{S}\) into two bitonic sequences \(\widehat{S}_1,\widehat{S}_2\), such that all the elements in \(S_1\) are smaller than all the elements in \(S_2\). It then calls \(\overrightarrow{\mathsf{Split}}\) recursively on each sequence to get a sorted sequence.

Procedure A.1:

\(\overrightarrow{S} = \overrightarrow{\mathsf{Split}}(\widehat{S})\)

• Let \(\widehat{S}_1 = \left\langle \min (a_0,a_{n/2}), \min (a_1,a_{n/2+1}),\ldots ,\min (a_{n/2-1},a_{n-1}) \right\rangle \).

• Let \(\widehat{S}_2 = \left\langle \max (a_0,a_{n/2}), \max (a_1,a_{n/2+1}),\ldots ,\max (a_{n/2-1},a_{n-1}) \right\rangle \).

• \(\overrightarrow{S}_1=\overrightarrow{\mathsf{Split}}({\widehat{S}}_1)\), \(\overrightarrow{S}_2=\overrightarrow{\mathsf{Split}}({\widehat{S}}_2)\) and \(\overrightarrow{S}=(\overrightarrow{S}_1,\overrightarrow{S}_2)\).

Similarly, \(\overleftarrow{S} = \overleftarrow{\mathsf{Split}}(\widehat{S})\) sorts the array in a descending order. We refer to [9] for details.

To sort an array S of n elements, the algorithm first converts S into a bitonic sequence using the \(\mathsf{Split}\) procedures in a bottom up fashion, similar to the structure of merge-sort. Specifically, any size-2 sequence is a bitonic sequence. In each iteration \(i =1,\ldots ,\log n-1\), the algorithm merges each pair of size-\(2^i\) bitonic sequences into a size-\(2^{i+1}\) bitonic sequence. Towards this end, it uses the \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\) alternately, as two sorted sequences \((\overrightarrow{S}_1,\overleftarrow{S}_2)\) form a bitonic sequence. The full bitonic sort algorithm is presented below:

Algorithm A.2:

\(\mathsf{BitonicSort}(S)\)

1. 1.

   Convert S to a bitonic sequence: For \(i=1,\ldots ,\log n-1\):

   1. (a)

      Let \(S=({\widehat{S}}_0,\ldots ,{\widehat{S}}_{n/2^i-1})\) be the size-\(2^i\) bitonic sequences from the previous iteration.

   2. (b)

      For \(j=0,\ldots ,n/2^{i+1}-1\), \({\widehat{B}}_{j} = (\overrightarrow{\mathsf{Split}}({\widehat{S}}_{2j}),\overleftarrow{\mathsf{Split}}({\widehat{S}}_{2j+1}))\).

   3. (c)

      Set \(S = ({\widehat{B}}_0,\ldots ,{\widehat{B}}_{n/2^{i+1}-1})\).

2. 2.

   The array \(\widehat{S}\) is now a bitonic sequence. Apply \(\overrightarrow{S}=\overrightarrow{\mathsf{Split}}(\widehat{S})\) to obtain a sorted sequence.

Locality and obliviousness. It is easy to see that the sorting algorithm is oblivious, as all accesses to the memory are independent of the input data. For locality, first note that procedure \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\) are \((2,O(\log n))\)-local. No \(\mathsf{move}\) operations are needed between instances of recursions, as these can be executed one after another as iterations (and using some vacuous reads). Thus, Algorithm A.2 is \((2,O(\log ^2n))\)-local as it runs in \(\log n\) iterations, each invoking \(\overrightarrow{\mathsf{Split}}\) and \(\overleftarrow{\mathsf{Split}}\). Figure 3 gives a graphic representation of the algorithm for input size 8 and Fig. 4 illustrates its locality. The \((2,O(\log ^2n))\) locality of Bitonic sort is also obvious from the figure.

Remark. Observe that in each pass of \(\overrightarrow{\mathsf{Split}}\) (or \(\overleftarrow{\mathsf{Split}}\)), a min/max operation is a read-compare-write operation. Thus, strictly speaking, each memory location is accessed twice for this operation – once for reading and once for writing. When the write is performed, the read/write head has already moved forward and is thus not writing back to the same two locations that it read from. Going back to the same two locations would incur an undesirable move head operation. However, we can easily convert this into a solution that still preserves (2, O(1))-locality for each pass of \(\overrightarrow{\mathsf{Split}}\) by introducing a slack after every memory location (and thus using twice the amount of storage). In this solution, every memory location \(a_i\) is followed by \(a_i'\); the entire array is stored as \(((a_0, a_0'), \ldots , (a_{n-1}, a_{n-1}'))\) where \(a_i\) stores real blocks and \(a_i'\) is a slack location. When \(a_i\) and \(a_j\) are compared, the results can be written to \(a_i'\) and \(a_j'\) respectively without incurring a move operation. Before starting the next iteration, we can move the data from slack locations to the actual locations in a single pass, thus preserving (2, O(1))-locality for each pass of \(\overrightarrow{\mathsf{Split}}\) (and \(\overleftarrow{\mathsf{Split}}\)).

Fig. 3.

Bitonic sorting network for 8 inputs. Input come in from the left end, and outputs are on the right end. When two numbers are joined by an arrow, they are compared, and if necessary are swapped such that the arrow points from the smaller number toward the larger number. This figure is modified from [1].

Fig. 4.

Locality of Bitonic Sort for 8 elements. The figure shows the allocation of the data in the two disks for an 8 element array. For each input, either a compare-and-swap operation is performed in the specified direction or the input is ignored as denoted by \(\bot \). The figure shows the first 3 passes out of the required 6 passes for 8 elements (see Fig. 3).