Distributed Oblivious RAM for Secure Two-Party Computation

We present a new method for secure two-party Random Access Memory (RAM) program computation that does not require taking a program and first turning it into a circuit. The method achieves logarithmic overhead compared to an insecure program execution. In the heart of our construction is a new Oblivious RAM construction where a client interacts with two non-communicating servers. Our two-server Oblivious RAM for n reads/writes requires O(n) memory for the servers, O(1) memory for the client, and O(logn) amortized read/write overhead for data access. The constants in the big-O notation are tiny, and we show that the storage and data access overhead of our solution concretely compares favorably to the state-of-the-art single-server schemes. Our protocol enjoys an important feature from a practical perspective as well. At the heart of almost all previous single-server Oblivious RAM solutions, a crucial but inefficient process known as oblivious sorting was required. In our two-server model, we describe a new technique to bypass oblivious sorting, and show how this can be carefully blended with existing techniques to attain a more practical Oblivious RAM protocol in comparison to all prior work. As alluded above, our two-server Oblivious RAM protocol leads to a novel application in the realm of secure two-party RAM program computation. We observe that in the secure two-party computation, Alice and Bob can play the roles of two non-colluding servers. We show that our Oblivious RAM construction can be composed with an extended version of the Ostrovsky-Shoup compiler to obtain a new method for secure two-party program computation with lower overhead than all existing constructions.

[1]  Michael T. Goodrich,et al.  Oblivious RAM simulation with efficient worst-case access overhead , 2011, CCSW '11.

[2]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[3]  Rafail Ostrovsky,et al.  How to Garble RAM Programs , 2013, EUROCRYPT.

[4]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[5]  Rafail Ostrovsky,et al.  Public Key Encryption That Allows PIR Queries , 2007, CRYPTO.

[6]  Peter Williams,et al.  Usable PIR , 2008, NDSS.

[7]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[8]  Moni Naor,et al.  Communication preserving protocols for secure function evaluation , 2001, STOC '01.

[9]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[10]  Kurt Mehlhorn,et al.  Algorithms - ESA 2008, 16th Annual European Symposium, Karlsruhe, Germany, September 15-17, 2008. Proceedings , 2008, ESA.

[11]  Miklós Ajtai,et al.  Oblivious RAMs without cryptogrpahic assumptions , 2010, STOC '10.

[12]  Elaine Shi,et al.  Towards Practical Oblivious RAM , 2011, NDSS.

[13]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[14]  Michael Mitzenmacher,et al.  More Robust Hashing: Cuckoo Hashing with a Stash , 2008, ESA.

[15]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[16]  Rafail Ostrovsky,et al.  Public-Key Encryption with Efficient Amortized Updates , 2010, SCN.

[17]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[18]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[19]  Abhi Shelat,et al.  Efficient Secure Computation with Garbled Circuits , 2011, ICISS.

[20]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[21]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[22]  Avi Wigderson,et al.  Multi-prover interactive proofs: how to remove intractability assumptions , 2019, STOC '88.

[23]  Rafail Ostrovsky,et al.  Multi-Server Oblivious RAM , 2011, IACR Cryptol. ePrint Arch..

[24]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[25]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[26]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[27]  Friedhelm Meyer auf der Heide,et al.  Algorithms — ESA 2001 , 2001, Lecture Notes in Computer Science.

[28]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[29]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[30]  Michael T. Goodrich,et al.  Randomized Shellsort: a simple oblivious sorting algorithm , 2009, SODA '10.

[31]  Abhi Shelat,et al.  Towards Billion-Gate Secure Computation with Malicious Adversaries , 2012, IACR Cryptol. ePrint Arch..

[32]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[33]  János Komlós,et al.  An 0(n log n) sorting network , 1983, STOC.

[34]  Jonathan Katz,et al.  Secure Computation with Sublinear Amortized Work , 2011, IACR Cryptol. ePrint Arch..

[35]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[36]  Dan Boneh,et al.  Remote Oblivious Storage: Making Oblivious RAM Practical , 2011 .

[37]  Rafail Ostrovsky,et al.  On the (in)security of hash-based oblivious RAM and a new balancing scheme , 2012, SODA.

[38]  Rafail Ostrovsky,et al.  Efficient computation on oblivious RAMs , 1990, STOC '90.

[39]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[40]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[41]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[42]  Benny Pinkas,et al.  Oblivious RAM Revisited , 2010, CRYPTO.

[43]  Peter Williams,et al.  Building castles out of mud: practical access pattern privacy and correctness on untrusted storage , 2008, CCS.

[44]  Michael T. Goodrich,et al.  Privacy-preserving group data access via stateless oblivious RAM simulation , 2011, SODA.

[45]  Rasmus Pagh,et al.  Cuckoo Hashing , 2001, Encyclopedia of Algorithms.

[46]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[47]  Michael J. Fischer,et al.  Relations Among Complexity Measures , 1979, JACM.

[48]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[49]  John P. Steinberger,et al.  The preimage security of double-block-length compression functions , 2011, IACR Cryptol. ePrint Arch..

[50]  Jonathan Katz,et al.  Secure two-party computation in sublinear (amortized) time , 2012, CCS.

[51]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[52]  Kenneth E. Batcher,et al.  Sorting networks and their applications , 1968, AFIPS Spring Joint Computing Conference.

[53]  Rafail Ostrovsky,et al.  Private information storage (extended abstract) , 1997, STOC '97.

[54]  Ivan Damgård,et al.  Perfectly Secure Oblivious RAM Without Random Oracles , 2011, IACR Cryptol. ePrint Arch..