Can We Overcome the n log n Barrier for Oblivious Sorting?

It is well-known that non-comparison-based techniques can allow us to sort n elements in o(n log n) time on a Random-Access Machine (RAM). On the other hand, it is a long-standing open question whether (non-comparison-based) circuits can sort n elements from the domain [1..2] with o(kn log n) boolean gates. We consider weakened forms of this question: first, we consider a restricted class of sorting where the number of distinct keys is much smaller than the input length; and second, we explore Oblivious RAMs and probabilistic circuit families, i.e., computational models that are somewhat more powerful than circuits but much weaker than RAM. We show that Oblivious RAMs and probabilistic circuit families can sort o(log n)-bit keys in o(n log n) time or o(kn log n) circuit complexity. Our algorithms work in the indivisible model, i.e., not only can they sort an array of numerical keys — if each key additionally carries an opaque ball, our algorithms can also move the balls into the correct order. We further show that in such an indivisible model, it is impossible to sort Ω(log n)-bit keys in o(n log n) time, and thus the o(log n)-bit-key assumption is necessary for overcoming the n log n barrier. Finally, after optimizing the IO efficiency, we show that even the 1-bit special case can solve open questions: our oblivious algorithms solve tight compaction and selection with optimal IO efficiency for the first time. ∗This work is supported in part by NSF grants CNS-1314857, CNS-1514261, CNS-1544613, CNS-1561209, CNS1601879, CNS-1617676, an Office of Naval Research Young Investigator Program Award, a Packard Fellowship, a DARPA Safeware grant (subcontractor under IBM), a Sloan Fellowship, Google Faculty Research Awards, a Baidu Research Award, and a VMWare Research Award. †Cornell University. ‡Cornell University. §Shanghai Jiao Tong University, work done while visiting Cornell.

[1]  Jeffrey Scott Vitter,et al.  External memory algorithms and data structures: dealing with massive data , 2001, CSUR.

[2]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[3]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[4]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[5]  Kasper Green Larsen,et al.  Yes, There is an Oblivious RAM Lower Bound! , 2018, IACR Cryptol. ePrint Arch..

[6]  Enoch Peserico Deterministic oblivious distribution (and tight compaction) in linear time , 2018, ArXiv.

[7]  Ron Rothblum,et al.  Fast Pseudorandomness for Independence and Load Balancing - (Extended Abstract) , 2014, ICALP.

[8]  Mikkel Thorup Randomized sorting in O(n log log n) time and linear space using addition, shift, and bit-wise boolean operations , 1997, SODA '97.

[9]  Kartik Nayak,et al.  OptORAMa: Optimal Oblivious RAM , 2020, IACR Cryptol. ePrint Arch..

[10]  David Eppstein,et al.  Privacy-preserving data-oblivious geometric algorithms for geographic data , 2010, GIS '10.

[11]  Michael T. Goodrich,et al.  Randomized Shellsort: a simple oblivious sorting algorithm , 2009, SODA '10.

[12]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Cloud Storage , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Yijie Han,et al.  Deterministic sorting in O(nloglogn) time and linear space , 2004, J. Algorithms.

[14]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[15]  Michael A. Bender,et al.  Cache-oblivious B-trees , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[16]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[17]  Srinivas Devadas,et al.  Design space exploration and optimization of path oblivious RAM in secure processors , 2013, ISCA.

[18]  S. Srinivasa Rao,et al.  Secondary indexing in one dimension: beyond b-trees and bitmap indexes , 2009, PODS.

[19]  Manuel Blum,et al.  Time Bounds for Selection , 1973, J. Comput. Syst. Sci..

[20]  M. Thorup,et al.  Integer Sorting in Expected Time and Linear Space , 2002 .

[21]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[22]  Moni Naor,et al.  Is There an Oblivious RAM Lower Bound? , 2016, ITCS.

[23]  Elaine Shi,et al.  Oblivious Hashing Revisited, and Applications to Asymptotically Efficient ORAM and OPRAM , 2017, ASIACRYPT.

[24]  Elaine Shi,et al.  GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation , 2015, ASPLOS.

[25]  Kenneth E. Batcher,et al.  Sorting networks and their applications , 1968, AFIPS Spring Joint Computing Conference.

[26]  Sanguthevar Rajasekaran,et al.  Optimal and Practical Algorithms for Sorting on the PDM , 2008, IEEE Transactions on Computers.

[27]  Kurt Mehlhorn,et al.  External-Memory Breadth-First Search with Sublinear I/O , 2002, ESA.

[28]  Omer Reingold,et al.  Balls and Bins: Smaller Hash Families and Faster Evaluation , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[29]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[30]  Kartik Nayak,et al.  Oblivious Computation with Data Locality , 2017, IACR Cryptol. ePrint Arch..

[31]  Elaine Shi,et al.  Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound , 2015, IACR Cryptol. ePrint Arch..

[32]  Peter van Emde Boas Preserving order in a forest in less than logarithmic time , 1975, 16th Annual Symposium on Foundations of Computer Science (sfcs 1975).

[33]  L. Tippett Statistical Tables: For Biological, Agricultural and Medical Research , 1954 .

[34]  Arne Andersson Faster deterministic sorting and searching in linear space , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[35]  Elaine Shi,et al.  Circuit OPRAM: Unifying Statistically and Computationally Secure ORAMs and OPRAMs , 2017, TCC.

[36]  Qin Zhang,et al.  Dynamic external hashing: the limit of buffering , 2008, SPAA '09.

[37]  Ling Ren,et al.  Path ORAM , 2012, J. ACM.

[38]  John C. Mitchell,et al.  Data-Oblivious Data Structures , 2014, STACS.

[39]  Philippe Flajolet,et al.  Probabilistic Counting Algorithms for Data Base Applications , 1985, J. Comput. Syst. Sci..

[40]  Alok Aggarwal,et al.  The input/output complexity of sorting and related problems , 1988, CACM.

[41]  Stratis Ioannidis,et al.  GraphSC: Parallel Secure Computation Made Easy , 2015, 2015 IEEE Symposium on Security and Privacy.

[42]  Elaine Shi,et al.  Foundations of Differentially Oblivious Algorithms , 2017, IACR Cryptol. ePrint Arch..

[43]  Gerth Stølting Brodal,et al.  Cache-Oblivious Algorithms and Data Structures , 2004, SWAT.

[44]  David G. Kirkpatrick,et al.  Upper Bounds for Sorting Integers on Random Access Machines , 1984, Theor. Comput. Sci..

[45]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[46]  Gerth Stølting Brodal,et al.  Lower bounds for external memory dictionaries , 2003, SODA '03.

[47]  Michael T. Goodrich,et al.  Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in O(n log n) time , 2014, STOC.

[48]  Leslie G. Valiant,et al.  Shifting Graphs and Their Applications , 1976, J. ACM.

[49]  Michael T. Goodrich,et al.  Data-Oblivious Graph Drawing Model and Algorithms , 2012, ArXiv.

[50]  Michael A. Bender,et al.  Cache-oblivious streaming B-trees , 2007, SPAA '07.

[51]  Donald E. Knuth,et al.  The art of computer programming, volume 3: (2nd ed.) sorting and searching , 1998 .

[52]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[53]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[54]  Rajeev Raman,et al.  Sorting in linear time? , 1995, STOC '95.

[55]  Elaine Shi,et al.  Burst ORAM: Minimizing ORAM Response Times for Bursty Access Patterns , 2014, USENIX Security Symposium.

[56]  Michael A. Bender,et al.  An Optimal Cache-Oblivious Priority Queue and Its Application to Graph Algorithms , 2007, SIAM J. Comput..

[57]  Robert W. Floyd,et al.  Permuting Information in Idealized Two-Level Storage , 1972, Complexity of Computer Computations.

[58]  Michael T. Goodrich,et al.  Data-Oblivious Graph Algorithms in Outsourced External Memory , 2014, COCOA.

[59]  Elaine Shi,et al.  Constants Count: Practical Improvements to Oblivious RAM , 2015, USENIX Security Symposium.

[60]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[61]  Peter Williams,et al.  PrivateFS: a parallel oblivious file system , 2012, CCS.

[62]  Kartik Nayak,et al.  ObliVM: A Programming Framework for Secure Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[63]  David P. Woodruff,et al.  An optimal algorithm for the distinct elements problem , 2010, PODS '10.

[64]  Rafail Ostrovsky,et al.  On the (in)security of hash-based oblivious RAM and a new balancing scheme , 2012, SODA.

[65]  Marina Blanton,et al.  Data-oblivious graph algorithms for secure computation and outsourcing , 2013, ASIA CCS '13.

[66]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[67]  Elaine Shi,et al.  Cache-Oblivious and Data-Oblivious Sorting and Applications , 2018, SODA.

[68]  Torsten Suel,et al.  On probabilistic networks for selection, merging, and sorting , 1995, SPAA '95.

[69]  Michael T. Goodrich,et al.  Data-oblivious external-memory algorithms for the compaction, selection, and sorting of outsourced data , 2011, SPAA '11.

[70]  Srinivas Devadas,et al.  Suppressing the Oblivious RAM timing channel while making information leakage and program efficiency trade-offs , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).