Foundations of Differentially Oblivious Algorithms

It is well-known that a program's memory access pattern can leak information about its input. To thwart such leakage, most existing works adopt the technique of oblivious RAM (ORAM) simulation. Such an obliviousness notion has stimulated much debate. Although ORAM techniques have significantly improved over the past few years, the concrete overheads are arguably still undesirable for real-world systems --- part of this overhead is in fact inherent due to a well-known logarithmic ORAM lower bound by Goldreich and Ostrovsky. To make matters worse, when the program's runtime or output length depend on secret inputs, it may be necessary to perform worst-case padding to achieve full obliviousness and thus incur possibly super-linear overheads. Inspired by the elegant notion of differential privacy, we initiate the study of a new notion of access pattern privacy, which we call "(ϵ, δ)-differential obliviousness". We separate the notion of (ϵ, δ)-differential obliviousness from classical obliviousness by considering several fundamental algorithmic abstractions including sorting small-length keys, merging two sorted lists, and range query data structures (akin to binary search trees). We show that by adopting differential obliviousness with reasonable choices of ϵ and δ, not only can one circumvent several impossibilities pertaining to full obliviousness, one can also, in several cases, obtain meaningful privacy with little overhead relative to the non-private baselines (i.e., having privacy "almost for free"). On the other hand, we show that for very demanding choices of ϵ and δ, the same lower bounds for oblivious algorithms would be preserved for (ϵ, δ)-differential obliviousness.

[1]  Timothy J. Purcell Sorting and searching , 2005, SIGGRAPH Courses.

[2]  Prateek Mittal,et al.  Root ORAM: A Tunable Differentially Private Oblivious RAM , 2016, ArXiv.

[3]  Kai-Min Chung,et al.  Oblivious Parallel RAM and Applications , 2016, TCC.

[4]  Adam O'Neill,et al.  Accessing Data while Preserving Privacy , 2017, ArXiv.

[5]  David Eppstein,et al.  Privacy-preserving data-oblivious geometric algorithms for geographic data , 2010, GIS '10.

[6]  Leslie G. Valiant,et al.  Shifting Graphs and Their Applications , 1976, J. ACM.

[7]  Michael T. Goodrich,et al.  Data-Oblivious Graph Drawing Model and Algorithms , 2012, ArXiv.

[8]  Moni Naor,et al.  Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations , 2016, STOC.

[9]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[10]  Stratis Ioannidis,et al.  GraphSC: Parallel Secure Computation Made Easy , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Elaine Shi,et al.  Circuit OPRAM: Unifying Statistically and Computationally Secure ORAMs and OPRAMs , 2017, TCC.

[12]  Elaine Shi,et al.  Privacy-Preserving Stream Aggregation with Fault Tolerance , 2012, Financial Cryptography.

[13]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[14]  Donald E. Knuth,et al.  The art of computer programming, volume 3: (2nd ed.) sorting and searching , 1998 .

[15]  Guy N. Rothblum,et al.  Boosting and Differential Privacy , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[16]  Salil P. Vadhan,et al.  The Complexity of Differential Privacy , 2017, Tutorials on the Foundations of Cryptography.

[17]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[18]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[19]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[20]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[21]  David Cash,et al.  The Locality of Searchable Symmetric Encryption , 2014, IACR Cryptol. ePrint Arch..

[22]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[23]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[24]  John C. Mitchell,et al.  Data-Oblivious Data Structures , 2014, STACS.

[25]  Mikkel Thorup Randomized sorting in O(n log log n) time and linear space using addition, shift, and bit-wise boolean operations , 1997, SODA '97.

[26]  David G. Kirkpatrick,et al.  Upper Bounds for Sorting Integers on Random Access Machines , 1984, Theor. Comput. Sci..

[27]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[28]  Marcel Keller,et al.  Efficient, Oblivious Data Structures for MPC , 2014, IACR Cryptol. ePrint Arch..

[29]  Michael T. Goodrich,et al.  Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in O(n log n) time , 2014, STOC.

[30]  Elaine Shi,et al.  Private and Continual Release of Statistics , 2010, TSEC.

[31]  Yijie Han,et al.  Deterministic sorting in O(nloglogn) time and linear space , 2004, J. Algorithms.

[32]  Moni Naor,et al.  Is There an Oblivious RAM Lower Bound? , 2016, ITCS.

[33]  M. Thorup,et al.  Integer Sorting in Expected Time and Linear Space , 2002 .

[34]  Kartik Nayak,et al.  Oblivious Data Structures , 2014, IACR Cryptol. ePrint Arch..

[35]  Moni Naor,et al.  Differential privacy under continual observation , 2010, STOC '10.

[36]  Adam O'Neill,et al.  Generic Attacks on Secure Outsourced Databases , 2016, CCS.

[37]  Michael T. Goodrich,et al.  Cache-Oblivious Dictionaries and Multimaps with Negligible Failure Probability , 2012, MedAlg.

[38]  Kartik Nayak,et al.  Oblivious Computation with Data Locality , 2017, IACR Cryptol. ePrint Arch..

[39]  Elaine Shi,et al.  Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound , 2015, IACR Cryptol. ePrint Arch..

[40]  Kobbi Nissim,et al.  Differentially Private Release and Learning of Threshold Functions , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[41]  Elaine Shi,et al.  Can We Overcome the n log n Barrier for Oblivious Sorting? , 2019, IACR Cryptol. ePrint Arch..

[42]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[43]  Rajeev Raman,et al.  Sorting in linear time? , 1995, STOC '95.

[44]  Sahar Mazloom,et al.  Differentially Private Access Patterns in Secure Computation , 2017, IACR Cryptol. ePrint Arch..

[45]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[46]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[47]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[48]  Kartik Nayak,et al.  ObliVM: A Programming Framework for Secure Computation , 2015, 2015 IEEE Symposium on Security and Privacy.