Is There an Oblivious RAM Lower Bound?

An Oblivious RAM (ORAM), introduced by Goldreich and Ostrovsky (JACM 1996), is a (probabilistic) RAM that hides its access pattern, i.e. for every input the observed locations accessed are similarly distributed. Great progress has been made in recent years in minimizing the overhead of ORAM constructions, with the goal of obtaining the smallest overhead possible. We revisit the lower bound on the overhead required to obliviously simulate programs, due to Goldreich and Ostrovsky. While the lower bound is fairly general, including the offline case, when the simulator is given the reads and writes ahead of time, it does assume that the simulator behaves in a "balls and bins" fashion. That is, the simulator must act by shuffling data items around, and is not allowed to have sophisticated encoding of the data. We prove that for the offline case, showing a lower bound without the above restriction is related to the size of the circuits for sorting. Our proof is constructive, and uses a bit-slicing approach which manipulates the bit representations of data in the simulation. This implies that without obtaining yet unknown superlinear lower bounds on the size of such circuits, we cannot hope to get lower bounds on offline (unrestricted) ORAMs.

[1]  Michael T. Goodrich,et al.  Oblivious RAM simulation with efficient worst-case access overhead , 2011, CCSW '11.

[2]  Rajeev Raman,et al.  Sorting in linear time? , 1995, STOC '95.

[3]  Srinivas Devadas,et al.  A secure processor architecture for encrypted computation on untrusted programs , 2012, STC '12.

[4]  Alok Aggarwal,et al.  Hierarchical memory with block transfer , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[5]  Elaine Shi,et al.  Ring ORAM: Closing the Gap Between Small and Large Client Storage Oblivious RAM , 2014, IACR Cryptol. ePrint Arch..

[6]  Elaine Shi,et al.  Verifiable Oblivious Storage , 2014, Public Key Cryptography.

[7]  Abhi Shelat,et al.  SCORAM: Oblivious RAM for Secure Computation , 2014, IACR Cryptol. ePrint Arch..

[8]  Stefano Tessaro,et al.  Oblivious Parallel RAM: Improved Efficiency and Generic Constructions , 2016, TCC.

[9]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[10]  Craig Gentry,et al.  Outsourcing Private RAM Computation , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[11]  Craig Gentry,et al.  Optimizing ORAM and Using It Efficiently for Secure Computation , 2013, Privacy Enhancing Technologies.

[12]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[13]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[14]  Muriel Medard,et al.  Network coding : fundamentals and applications , 2012 .

[15]  Matteo Frigo,et al.  Cache-oblivious algorithms , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[16]  HanYijie Deterministic sorting in O(nlog logn) time and linear space , 2004 .

[17]  Elaine Shi,et al.  Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM , 2016, TCC.

[18]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[19]  Jonathan Katz,et al.  Secure two-party computation in sublinear (amortized) time , 2012, CCS.

[20]  Richard M. Karp,et al.  A Survey of Parallel Algorithms for Shared-Memory Machines , 1988 .

[21]  Ling Ren Unied RAW Path Oblivious RAM , 2014 .

[22]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[23]  Ivan Damgård,et al.  Perfectly Secure Oblivious RAM Without Random Oracles , 2011, IACR Cryptol. ePrint Arch..

[24]  Rafail Ostrovsky,et al.  Distributed Oblivious RAM for Secure Two-Party Computation , 2013, TCC.

[25]  Rafail Ostrovsky,et al.  Private information storage (extended abstract) , 1997, STOC '97.

[26]  Elaine Shi,et al.  Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound , 2015, IACR Cryptol. ePrint Arch..

[27]  Elaine Shi,et al.  Oblivious Network RAM and Leveraging Parallelism to Achieve Obliviousness , 2015, ASIACRYPT.

[28]  János Komlós,et al.  An 0(n log n) sorting network , 1983, STOC.

[29]  Michael T. Goodrich,et al.  Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in O(n log n) time , 2014, STOC.

[30]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[31]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Cloud Storage , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Yijie Han,et al.  Deterministic sorting in O(nloglogn) time and linear space , 2004, J. Algorithms.

[33]  Elaine Shi,et al.  Oblivious Network RAM , 2015, IACR Cryptol. ePrint Arch..

[34]  Paul Beame,et al.  Making Branching Programs Oblivious Requires Superlogarithmic Overhead , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[35]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[36]  David Cash,et al.  Dynamic Proofs of Retrievability Via Oblivious RAM , 2013, Journal of Cryptology.

[37]  Rafail Ostrovsky,et al.  On the (in)security of hash-based oblivious RAM and a new balancing scheme , 2012, SODA.

[38]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[39]  Kai-Min Chung,et al.  A Simple ORAM , 2013, IACR Cryptol. ePrint Arch..

[40]  Michael J. Fischer,et al.  Relations Among Complexity Measures , 1979, JACM.

[41]  Michael T. Goodrich,et al.  Privacy-Preserving Access of Outsourced Data via Oblivious RAM Simulation , 2010, ICALP.

[42]  Miklós Ajtai,et al.  Oblivious RAMs without cryptogrpahic assumptions , 2010, STOC '10.

[43]  Moni Naor,et al.  Optimal File Sharing in Distributed Networks , 1995, SIAM J. Comput..

[44]  Kai-Min Chung,et al.  Large-Scale Secure Computation: Multi-party Computation for (Parallel) RAM Programs , 2015, CRYPTO.

[45]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[46]  Kai-Min Chung,et al.  Statistically-secure ORAM with Õ(log2 n) Overhead , 2014, ASIACRYPT.

[47]  Kai-Min Chung,et al.  Oblivious Parallel RAM , 2014, IACR Cryptol. ePrint Arch..