Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound

We propose a new tree-based ORAM scheme called Circuit ORAM. Circuit ORAM makes both theoretical and practical contributions. From a theoretical perspective, Circuit ORAM shows that the well-known Goldreich-Ostrovsky logarithmic ORAM lower bound is tight under certain parameter ranges, for several performance metrics. Therefore, we are the first to give an answer to a theoretical challenge that remained open for the past twenty-seven years. Second, Circuit ORAM earns its name because it achieves (almost) optimal circuit size both in theory and in practice for realistic choices of block sizes. We demonstrate compelling practical performance and show that Circuit ORAM is an ideal candidate for secure multi-party computation applications.

[1]  David Evans,et al.  Circuit Structures for Improving Efficiency of Security and Privacy Tools , 2013, 2013 IEEE Symposium on Security and Privacy.

[2]  Michael T. Goodrich,et al.  Oblivious RAM simulation with efficient worst-case access overhead , 2011, CCSW '11.

[3]  Marcel Keller,et al.  Efficient, Oblivious Data Structures for MPC , 2014, IACR Cryptol. ePrint Arch..

[4]  D. Kendall Stochastic Processes Occurring in the Theory of Queues and their Analysis by the Method of the Imbedded Markov Chain , 1953 .

[5]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[6]  Srinivas Devadas,et al.  Design space exploration and optimization of path oblivious RAM in secure processors , 2013, ISCA.

[7]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[8]  Ivan Damgård,et al.  Perfectly Secure Oblivious RAM Without Random Oracles , 2011, IACR Cryptol. ePrint Arch..

[9]  Srinivas Devadas,et al.  A Low-Latency, Low-Area Hardware Oblivious RAM Controller , 2015, 2015 IEEE 23rd Annual International Symposium on Field-Programmable Custom Computing Machines.

[10]  Elaine Shi,et al.  Towards Practical Oblivious RAM , 2011, NDSS.

[11]  Elaine Shi,et al.  Automating Efficient RAM-Model Secure Computation , 2014, 2014 IEEE Symposium on Security and Privacy.

[12]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Cloud Storage , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[14]  Rafail Ostrovsky,et al.  Efficient computation on oblivious RAMs , 1990, STOC '90.

[15]  Travis Mayberry,et al.  Efficient Private File Retrieval by Combining ORAM and PIR , 2014, NDSS.

[16]  Peter Williams,et al.  Usable PIR , 2008, NDSS.

[17]  Paul Beame,et al.  Making Branching Programs Oblivious Requires Superlogarithmic Overhead , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[18]  Srinivas Devadas,et al.  Onion ORAM: A Constant Bandwidth and Constant Client Storage ORAM (without FHE or SWHE) , 2015, IACR Cryptology ePrint Archive.

[19]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[20]  Mor Harchol-Balter,et al.  Performance Modeling and Design of Computer Systems: Queueing Theory in Action , 2013 .

[21]  Peter Williams,et al.  Building castles out of mud: practical access pattern privacy and correctness on untrusted storage , 2008, CCS.

[22]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[23]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[24]  John C. Mitchell,et al.  Data-Oblivious Data Structures , 2014, STACS.

[25]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[26]  Peter Williams,et al.  Single round access privacy on outsourced storage , 2012, CCS '12.

[27]  Michael T. Goodrich,et al.  Privacy-preserving group data access via stateless oblivious RAM simulation , 2011, SODA.

[28]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[29]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[30]  P. Burke,et al.  Behavior of Tandem Buffers with Geometric Input and Markovian Output , 1976, IEEE Trans. Commun..

[31]  Dan Boneh,et al.  Remote Oblivious Storage: Making Oblivious RAM Practical , 2011 .

[32]  Rafail Ostrovsky,et al.  On the (in)security of hash-based oblivious RAM and a new balancing scheme , 2012, SODA.

[33]  Srinivas Devadas,et al.  RAW Path ORAM: A Low-Latency, Low-Area Hardware ORAM Controller with Integrity Verification , 2014, IACR Cryptol. ePrint Arch..

[34]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[35]  Alan Weiss,et al.  The Distribution of Waiting Times in Clocked Multistage Interconnection Networks , 1988, IEEE Trans. Computers.

[36]  Joshua Schiffman,et al.  Shroud: ensuring private access to large-scale data in the data center , 2013, FAST.

[37]  Rafail Ostrovsky,et al.  Distributed Oblivious RAM for Secure Two-Party Computation , 2013, TCC.

[38]  Rafail Ostrovsky,et al.  Private information storage (extended abstract) , 1997, STOC '97.

[39]  Jonathan Katz,et al.  Secure two-party computation in sublinear (amortized) time , 2012, CCS.

[40]  Craig Gentry,et al.  Private Database Access with HE-over-ORAM Architecture , 2015, ACNS.

[41]  Yehuda Lindell,et al.  More efficient oblivious transfer and extensions for faster secure computation , 2013, CCS.

[42]  Desh Ranjan,et al.  Balls and bins: A study in negative dependence , 1996, Random Struct. Algorithms.

[43]  Michael J. Fischer,et al.  Relations Among Complexity Measures , 1979, JACM.

[44]  Elaine Shi,et al.  Ring ORAM: Closing the Gap Between Small and Large Client Storage Oblivious RAM , 2014, IACR Cryptol. ePrint Arch..

[45]  David Evans,et al.  Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates , 2015, EUROCRYPT.

[46]  Srinivas Devadas,et al.  Suppressing the Oblivious RAM timing channel while making information leakage and program efficiency trade-offs , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[47]  Tarik Moataz,et al.  Resizable Tree-Based Oblivious RAM , 2015, Financial Cryptography.

[48]  Elaine Shi,et al.  Verifiable Oblivious Storage , 2014, Public Key Cryptography.

[49]  Abhi Shelat,et al.  SCORAM: Oblivious RAM for Secure Computation , 2014, IACR Cryptol. ePrint Arch..

[50]  Craig Gentry,et al.  Optimizing ORAM and Using It Efficiently for Secure Computation , 2013, Privacy Enhancing Technologies.

[51]  Benny Pinkas,et al.  Oblivious RAM Revisited , 2010, CRYPTO.

[52]  Moni Naor,et al.  Privacy preserving auctions and mechanism design , 1999, EC '99.

[53]  Rafail Ostrovsky,et al.  Private Information Storage , 1996, IACR Cryptol. ePrint Arch..

[54]  Elaine Shi,et al.  Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM , 2016, TCC.

[55]  Michael T. Goodrich,et al.  Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in O(n log n) time , 2014, STOC.

[56]  Michael T. Goodrich,et al.  Practical oblivious storage , 2012, CODASPY '12.

[57]  Kai-Min Chung,et al.  Statistically-secure ORAM with Õ(log2 n) Overhead , 2014, ASIACRYPT.

[58]  Elaine Shi,et al.  Multi-cloud oblivious storage , 2013, CCS.

[59]  Srinivas Devadas,et al.  A secure processor architecture for encrypted computation on untrusted programs , 2012, STC '12.

[60]  Elaine Shi,et al.  Burst ORAM: Minimizing ORAM Response Times for Bursty Access Patterns , 2014, USENIX Security Symposium.

[61]  Elaine Shi,et al.  Constants Count: Practical Improvements to Oblivious RAM , 2015, USENIX Security Symposium.