Differentially Oblivious Turing Machines

Oblivious RAM (ORAM) is a machinery that protects any RAM from leaking information about its secret input by observing only the access pattern. It is known that every ORAM must incur a logarithmic overhead compared to the non-oblivious RAM. In fact, even the seemingly weaker notion of differential obliviousness, which intuitively “protects” a single access by guaranteeing that the observed access pattern for every two “neighboring” logical access sequences satisfy ( , δ)-differential privacy, is subject to a logarithmic lower bound. In this work, we show that any Turing machine computation can be generically compiled into a differentially oblivious one with only doubly logarithmic overhead. More precisely, given a Turing machine that makes N transitions, the compiled Turing machine makes O(N · log logN) transitions in total and the physical head movements sequence satisfies ( , δ)-differential privacy (for a constant and a negligible δ). We additionally show that Ω(log logN) overhead is necessary in a natural range of parameters (and in the balls and bins model). As a corollary, we show that there exist natural data structures such as stack and queues (supporting online operations) on N elements for which there is a differentially oblivious implementation on a Turing machine incurring amortized O(log logN) overhead per operation, while it is known that any oblivious implementation must consume Ω(logN) operations unconditionally even on a RAM. Therefore, we obtain the first unconditional separation between obliviousness and differential obliviousness in the most natural setting of parameters where is a constant and δ is negligible. Before this work, such a separation was only known in the balls and bins model. Note that the lower bound applies in the RAM model while our upper bound is in the Turing machine model, making our separation stronger. 2012 ACM Subject Classification Theory of computation → Turing machines

[1]  Kasper Green Larsen,et al.  Yes, There is an Oblivious RAM Lower Bound! , 2018, IACR Cryptol. ePrint Arch..

[2]  Elaine Shi,et al.  Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound , 2015, IACR Cryptol. ePrint Arch..

[3]  Elaine Shi,et al.  Oblivious Hashing Revisited, and Applications to Asymptotically Efficient ORAM and OPRAM , 2017, ASIACRYPT.

[4]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Cloud Storage , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Sarvar Patel,et al.  PanORAMa: Oblivious RAM with Logarithmic Overhead , 2018, 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS).

[6]  Peter Williams,et al.  PrivateFS: a parallel oblivious file system , 2012, CCS.

[7]  Elaine Shi,et al.  Foundations of Differentially Oblivious Algorithms , 2017, IACR Cryptol. ePrint Arch..

[8]  Moni Naor,et al.  Is There an Oblivious RAM Lower Bound? , 2016, ITCS.

[9]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[10]  Rafail Ostrovsky,et al.  Efficient computation on oblivious RAMs , 1990, STOC '90.

[11]  Elaine Shi,et al.  Oblivious Parallel Tight Compaction , 2020, IACR Cryptol. ePrint Arch..

[12]  Richard Edwin Stearns,et al.  Two-Tape Simulation of Multitape Turing Machines , 1966, JACM.

[13]  Srinivas Devadas,et al.  A secure processor architecture for encrypted computation on untrusted programs , 2012, STC '12.

[14]  J. Hartmanis,et al.  On the Computational Complexity of Algorithms , 1965 .

[15]  Sarvar Patel,et al.  What Storage Access Privacy is Achievable with Small Overhead? , 2019, IACR Cryptol. ePrint Arch..

[16]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[17]  Elaine Shi,et al.  Towards Practical Oblivious RAM , 2011, NDSS.

[18]  Kasper Green Larsen,et al.  Lower Bounds for Oblivious Data Structures , 2018, SODA.

[19]  Elaine Shi,et al.  Can We Overcome the n log n Barrier for Oblivious Sorting? , 2019, IACR Cryptol. ePrint Arch..

[20]  Jonathan Katz,et al.  Revisiting Square-Root ORAM: Efficient Random Access in Multi-party Computation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[21]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[22]  Yan Huang,et al.  Practicing Oblivious Access on Cloud Storage: the Gap, the Fallacy, and the New Way Forward , 2015, CCS.

[23]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[24]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[25]  F. C. Hennie,et al.  One-Tape, Off-Line Turing Machine Computations , 1965, Inf. Control..

[26]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[27]  Abhi Shelat,et al.  SCORAM: Oblivious RAM for Secure Computation , 2014, IACR Cryptol. ePrint Arch..

[28]  Kevin Yeo,et al.  Lower Bounds for Differentially Private RAMs , 2019, Electron. Colloquium Comput. Complex..

[29]  Elaine Shi,et al.  Private and Continual Release of Statistics , 2010, TSEC.

[30]  Michael J. Fischer,et al.  Relations Among Complexity Measures , 1979, JACM.

[31]  Amos Beimel,et al.  Exploring Differential Obliviousness , 2019, APPROX-RANDOM.

[32]  Moni Naor,et al.  Differential privacy under continual observation , 2010, STOC '10.

[33]  Craig Gentry,et al.  Private Database Access with HE-over-ORAM Architecture , 2015, ACNS.

[34]  Rafail Ostrovsky,et al.  On the (in)security of hash-based oblivious RAM and a new balancing scheme , 2012, SODA.

[35]  Kartik Nayak,et al.  ObliVM: A Programming Framework for Secure Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[36]  Kartik Nayak,et al.  OptORAMa: Optimal Oblivious RAM , 2020, IACR Cryptol. ePrint Arch..

[37]  Srinivas Devadas,et al.  Design space exploration and optimization of path oblivious RAM in secure processors , 2013, ISCA.

[38]  Rafail Ostrovsky,et al.  Private information storage (extended abstract) , 1997, STOC '97.

[39]  Kartik Nayak,et al.  Oblivious Data Structures , 2014, IACR Cryptol. ePrint Arch..

[40]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[41]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[42]  Srinivas Devadas,et al.  Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM , 2015 .

[43]  Rafail Ostrovsky,et al.  Distributed Oblivious RAM for Secure Two-Party Computation , 2013, TCC.

[44]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.