SimpleandEfficientTwo-ServerORAM

DovGordon(GeorgeMasonU.)JonathanKatz(U.ofMaryland)XiaoWang(MIT&BostonU.)

WhatisORAM

• Outsourcedmemorystorage,allowingoblivious memoryaccess(readandwrite).– Any2sequencesofoperationsareindistinguishablefromtheserver(s)perspectives.

• Parametersofinterest(permemoryaccess):– communicationcomplexity– roundsofinteraction– storagerequirements(serverandclient)– computationalrequirements.

Results

• Parametersofinterest(permemoryaccess):– communicationcomplexity O(BlogN)– roundsofinteraction– storagerequirements– computationalrequirements.

O(BlogN)total,worst-casecommunication.• Smallconstant:10-20,dependingonparameters.

Compareto160in[LO].• [A+]achieveO(logN/loglogN)whenB=𝛀(𝝀log2N)

[LO]Lu-Ostrovsky.DistributedobliviousRAMforsecuretwo-partycomputation.[A+]Abrahametal.AsymptoticallytightboundsforcomposingORAMwithPIR.

Results

• Parametersofinterest(permemoryaccess):– communicationcomplexity O(BlogN)– roundsofinteraction 2rounds– storagerequirements– computationalrequirements.

2rounds!• Canreduceto1ifwemoderatelyincreasetheclientstorage.• Bigopenquestioninsingleserversetting,whilemaintaining

O(BlogN)worst-casecommunication.

Results

• Parametersofinterest(permemoryaccess):– communicationcomplexity O(BlogN)– roundsofinteraction 2rounds– storagerequirements 4N– computationalrequirements.

Serversstore4Nencryptedblocks.[LO]estimateserverstorageofO(Nlog9 N)blocks.• MostsingleserverORAMsrequiretheservertostore

O(Nlog2 N)blocks.

[LO]Lu-Ostrovsky.DistributedobliviousRAMforsecuretwo-partycomputation.

Results

• Parametersofinterest(permemoryaccess):– communicationcomplexity O(BlogN)– roundsofinteraction 2rounds– storagerequirements 4N– computationalrequirements. O(N)

OurservershavetodoO(N)symmetrickeyoperationsforeachquery,whichisadrawbacktoourconstruction.• Computationtimeisnotlikelytobethebottleneckon

reasonabledatasizes.• [DS]DemonstratethisempiricallyinanotherO(N)protocol.

[DS]Doerner andShelat.ScalingORAMforsecurecomputation,2017.

Private InformationRetreival

1. ClientwantstoreaddatablockBi indataarrayB1,…,BN(q0,q1)ß PIR.C (1κ,B,|D|,i)

q0 q1

DuplicateB1,…,BN

DuplicateB1,…,BN

Private InformationRetreival

1. ClientwantstoreaddatablockBi indataarrayB1,…,BN(q0,q1)ß PIR.C (1κ,B,|D|,i)

2. Serversreplywithr0 andr1,suchthatr0 ⊕ r1 =Bi(rb)ß PIR.S(B1,…,BN,qb)

r0 r1

DuplicateB1,…,BN

DuplicateB1,…,BN

Private InformationRetreival

1. ClientwantstoreaddatablockBi indataarrayB1,…,BN(q0,q1)ß PIR.C (1κ,B,|D|,i)

2. Serversreplywithr0 andr1,suchthatr0 ⊕ r1 =Bi(rb)ß PIR.S(B1,…,BN,qb)

r0 r1

DuplicateB1,…,BN

DuplicateB1,…,BN

λ0[1]=0 λ0[2]=1λ0[3]=1 λ0[4]=0

λ1[1]=0 λ1[2]=1λ1[3]=0 λ1[4]=0

Private InformationRetreival

1. ClientwantstoreaddatablockBi indataarrayB1,…,BN(q0,q1)ß PIR.C (1κ,B,|D|,i)

2. Serversreplywithr0 andr1,suchthatr0 ⊕ r1 =Bi(rb)ß PIR.S(B1,…,BN,qb)

Securityrequirement:Serverslearnnothingabouti.StructuralAssumption([BGI]):rb =⨁jλb[j]⋅Bj,where

λ0[j]⨁ λ1[j]=1⬌j=i

[BGI]Boyle,Gilboa,Ishai.Functionsecretsharing:Improvementsandextensions

r0 r1

DuplicateB1,…,BN

DuplicateB1,…,BN

Private PathRetreival

1. Clientwantstoreaddatapath toleafnodei indata treeT.(q0,q1)ß PIR.C (1κ,B,|T|,i)

2. Serversreplywithr0[1]...r0[L]andr1[1]… r1[L],onerandomvalueforeachlayer,suchthat r0[j]⊕ r1[j]=Tj⬌j liesonthepathtoleafi.(rb[1]… rb[L])ß PPR.S(T,qb)

Securityrequirement:Serverslearnnothingabouti.

r0 r1

DuplicateB1,…,BN

DuplicateB1,…,BN

Private PathRetreival

Eachlayerofthetreecanbetreatedasitsown,independentinstanceofaPIRscheme.

ToquerythepathtoleafnodeBi,theclientmakesLindependentPIRqueries,oneforeachlayerofthetree.

Thecostof[BGI]forasinglequery: (2|B|)+O(κ logn)Thecostis(logn)(PIR), (2|B|logn)+O(κ log2 n)Wewillshowhowtoachieve (2|B|logn)+O(κ logn)

[BGI]Boyle,Gilboa,Ishai.Functionsecretsharing:Improvementsandextensions

(NaïveSolution)

Private PathRetreival

ToquerythepathtoleafnodeBi,theclientmakesasingle PIRqueryforindexi,overleafnodesB1…Bn.

Private PathRetreival

λ0[1]=0 λ0[2]=1λ0[3]=1 λ0[4]=0

ToquerythepathtoleafnodeBi,theclientmakesasingle PIRqueryforindexi,overleafnodesB1…Bn.InPIRscheme,serverresponsesare:rb =⨁jλb[j]⋅Bj

λ1[1]=0 λ1[2]=1λ1[3]=0 λ1[4]=0

Private PathRetreival

λ0[00]=0λ0[01]=1λ0[10]=1λ0[11]=0

ToquerythepathtoleafnodeBi,theclientmakesasingle PIRqueryforindexi,overleafnodesB1…Bn.InthePPRscheme,serversendsrb[j]forlayerj,where

rb[j]=⨁k λb[k]⋅T[k],∀k:|k|=j.

λ1[00]=0λ1[01]=1λ1[10]=0λ1[11]=0

λ0[0]=1

⨁ ⨁

⨁λ0[1]=1

λ0[root]=0

λ0[0]=1

⨁ ⨁

⨁λ0[1]=0

λ0[root]=1

ORAM

ObliviousRAM

• DataisstoredinatreeofdepthL=logN.• Eachnodeinthetreecontainsa“bucket”ofsizeZ.• Rootnodeisspecial:stashstoredatclient.• RecordsareoftheformEnc(flag,i,Fk(i),Bi)– Flagindicatesrealordummy.– Fk(⋅)isaPRFheldbytheclient.

(structure)

ObliviousRAM

• DataisstoredinatreeofdepthL=logN.• Eachnodeinthetreecontainsa“bucket”ofsizeZ.• Rootnodeisspecial:stashstoredatclient.• RecordsareoftheformEnc(flag,i,Fk(i),Bi)– Flagindicatesrealordummy.– Fk(⋅)isaPRFheldbytheclient.

(structure)

Invariants:1. Bi isalwaysalongthepathtoleafnodeFk(i).2. Themostup-to-datecopyofBi isclosesttotheroot.

ObliviousRAM

ToreadBi:• PPR.C(Fk(i)),andreturnthereal recordclosesttotheroot.– WedoNOT assignBi anewleafnode!

TowriteBi:• Removerecordsofform(1,i,Fk(i),*)fromstash.• Writerecord(1,i,Fk(i),Bi)tostash.

(read/write)

Invariants:1. Bi isalwaysalongthepathtoleafnodeFk(i).2. Themostup-to-datecopyofBi isclosesttotheroot.

ObliviousRAM

WedoNOT assignBi anewleafnode!InmostpriorORAMconstructions,thepathtoBi isrequestedintheclear:

– Toensuresecurity,everytimeBi isaccessed,itmustlieonanew,randompath.

– Requiresadynamicmappingbetweenrecordsandtheirleafnodes.Typicallystoredrecursively,requiringlogNoverhead.

– Incontrast,wecanuseastatic,pseudo-randommapping.

(staticleafassignments)

Invariants:1. Bi isalwaysalongthepathtoleafnodeFk(i).2. Themostup-to-datecopyofBi isclosesttotheroot.

ObliviousRAM

Asinpriorwork,ourrootnode(stash)fillsup.EveryAoperations,wechooseapath,andpushitemsdownthepathasfarastheycango.– Pathischosendeterministically,asin[G+],usingreverselexicographicordering.

– Bothinvariantsaremaintained:• Weremoveduplicaterealrecordswhennottheclosesttoroot.• Wepushremainingrecordsdown,subjecttothefirstinvariant.

Invariants:1. Bi isalwaysalongthepathtoleafnodeFk(i).2. Themostup-to-datecopyofBi isclosesttotheroot.

(eviction)

[G+]Gentryetal.OptimizingORAMandusingitefficientlyforsecurecomputation.

ObliviousRAM– Pathischosendeterministically,asin[G+],usingreverselex.ordering.– Easyanalysis:eachnodeatleveljisonanevictionpathexactlyevery

2j evictions.Expectedloadoneachnodeis½.

[G+]Gentryetal.OptimizingORAMandusingitefficientlyforsecurecomputation.

1 5 73 2 6 84

(eviction)

Security /Stash

• ThesecurityfollowsimmediatelyfromthesecurityofthePPRscheme.

• Wecanboundthestashsizeasdonein[R+].Communicationisminimizedwhen3Z/Aisminimized.

[R+]Ren etal.ConstantsCount:PracticalImprovementstoObliviousRAM,2014.

FurtherFeatures

• Publicread/writeischeaperthanobliviousoperations.Simplyrequestthewholepathintheclear.

• Initializationisforfree:wecanshareFk()withtheservers,aslongastheaccessesdon’tdependonFk.

• Onlywriteoperationsfilltherootnode,soevictioncanbelessfrequentifyoucanrevealreadvs.write.

THANKS!