Keywords

1 Introduction

Oblivious RAM (ORAM) [22] allows random accesses to physical memory locations without revealing the logical read/write access patterns. The original motivation considers a software accessing the local memory, where the latter is modeled as a machine that can only perform read and write operations but no computation (known as the “balls and bins” model). Later, ORAM was also considered in a network setting, where a client wishes to obliviously access its data outsourced to a remote server, where computation might be allowed. Besides direct applications in local and remote storage, ORAM techniques have been shown useful for many other cryptographic goals.

In a realistic setting, a database can be accessed by hundreds of mutually untrusted clients. The security of ORAM or even its parallel variant (OPRAM) [3, 13] becomes insufficient as all clients (processors in the same machine in OPRAM) share the same secret key. To remedy this, Maffei et al.  [29] considered multi-client ORAM (MCORAM), which aims to capture the following natural scenario: A database owner encodes an array of data M and outsources the encoded database to a server. Clients can dynamically join the system and request access rights to individual entries of M. After the permission is granted, a client can obliviously perform random access to the permitted entries of M, without communicating with the database owner or other clients.

For privacy, MCORAM expects two strengthened requirements against an adversary who can corrupt an arbitrary subset of clients and the server:

  • Read and write accesses are anonymous.

  • Read and write accesses are indistinguishable, except when the adversary has read access to the address being written.

Integrity is another interesting security feature needed in a multi-client scenario – legitimately written entries should be retrievable by any permitted clients and cannot be overwritten by malicious clients, assuming an honest server.

After three decades of development, the complexities of ORAM schemes are well-understood. Unfortunately, many techniques for constructing ORAM break down completely when the client can be corrupt. This forces us to pursue new techniques in building MCORAM, regardless of the many ORAM constructions.

The only (fully-oblivious) MCORAM by Maffei et al.  [30] requires O(n) server computation and \(O(\sqrt{n})\) communication and client computation. They also show \(\varOmega (n)\) server computation is necessary (in the balls-and-bins model), in contrast to \(\mathsf {polylog}(n)\) computation of ORAM. For communication, no non-trivial lower bound for MCORAM is known, while the upper bounds for ORAM and MCORAM are \(\mathsf {polylog}(n)\) and \(O(\sqrt{n})\), respectively. The inherent complexities of MCORAM are still poorly understood. We are thus motivated to ask:

Is multi-client ORAM with \(\mathsf {polylog}(n)\) communication possible?

Table 1. Comparison of MCORAM schemes for storing n messages in the following criteria: security against malicious clients (MC), support of multiple data owners (MD), security against t out of N corrupt servers, server computation, client computation, and communication of the access protocol (factors of are omitted.)
Full size table

Our Results. We answer the above question affirmatively. Our main contribution is a single-server MCORAM construction with \(O(\log n)\) communication and client computation, and O(n) server computation (omitting factors of ). This scheme relies on a new usage of key-indistinguishable FHE, in which ciphertexts encrypted under an unknown key are evaluated under non-matching keys. When instantiated with a rate-1 FHE [8, 19], the communication complexity is optimal (\(\log n\)) up to an additive fixed polynomial factor. In other words:

Theorem 1

(Informal). Assuming FHE, there exists a multi-client ORAM scheme with poly-logarithmic communication complexity.

We also consider the setting with multiple (non-colluding) servers, in which we propose an \(N^2\)-server MCORAM scheme resilient against the corruption of t servers, with communication and client computation. The scheme assumes the existence of a (tN) distributed point function (DPF) [21], where N is the number of parties and t is the corruption threshold. We then show new constructions of DPFs for parameters \((t,N) \in \{(2,3),(3,4)\}\), respectively, assuming homomorphic secret sharing (HSS) and constant-depth pseudorandom generators (PRGs), which are not known to imply FHE. Together with the existing (1, 2)-DPF [21], we show the following theorem.

Theorem 2

(Informal). Assuming HSS and PRG in NC0, there exist multi-client \(\{4,9,16\}\)-servers ORAM schemes with poly-logarithmic communication complexity, resilient against the corruption of \(\{1,2,3\}\) servers respectively.

As summarized in Table 1, we made clear contributions in communication and client computation complexities. One may further ask for an even better construction as (i) the computation of the servers is linear in the database size and (ii) the client storage is proportional to the number of entries with access granted. While the former is inherent to some extent (as shown in [30]) and the latter appears to be natural for fine-grained access control allowing \(O(2^n)\) possible policies for each user, we show how to reduce the client storage by constrained PRFs [2]. For simple access structures (such as prefix predicates), known constrained PRFs (e.g., [24]) do not add any extra assumption.

2 Technical Overview

2.1 MCORAM with Poly-log Communication: Initial Attempts

A first attempt to construct MCORAM with poly-logarithmic communication is to extend an ORAM with the same complexity. Simply sharing the same ORAM secret key among all clients (e.g., [25]) fails. The secret state kept by each client is the root issue. For obliviousness against the server and fellow clients, they must be kept confidential from others. To ensure consistency of the operations across all clients, they must be correlated. These contradicting requirements seem to forbid the adoption of many ORAM techniques. Another idea is to secret-share the ORAM secret key to all clients, and emulate the ORAM accesses using secure multi-party computation. This requires interactions between many clients for each access and is clearly undesirable when the number of clients is large.

We note that a database can be privately accessed without a persistent secret client state in (single-server) private-information retrieval (PIR) [14], in which a stateless client can read an entry while hiding its address. For the discussion below, it is useful to recall the standard FHE-based PIR scheme, which achieves poly-logarithmic communication. Recall that FHE allows homomorphic evaluations of any circuits over ciphertexts. To read the entry \(M[a ]\) of a database M at address \(a \), the client samples a fresh FHE key pair and sends to the server. The server homomorphically evaluates the following circuit \(\mathsf {Read}_{M}\) parameterized by M over :

.

This results in a ciphertext encrypting \(M[a ]\) to be sent to the client.

We can extend a PIR scheme to the multi-client setting and yield a read-only MCORAM. More concretely, the data owner encrypts each database entry with a different key. Granting read access means delegating the decryption key of the corresponding address. To read, recall that PIR clients are stateless, the client first performs PIR, and then decrypts the retrieved encrypted entry locally.

Challenge: Write Access. Towards supporting write access, a rough idea is as follows. First, each database entry \(M[a ]\) is encrypted under FHE, so the server cannot just see which entries have changed after a write access. Next, when writing data \(m ^*\) to address \(a ^*\), the client encrypts its update instruction  \((a ^*, m ^*)\) using FHE, so that the server could “somehow” update the database entries homomorphically by evaluating a \(\mathsf {Write}\) function over the ciphertexts of \((a ^*\), \(m ^*)\) and (each entry of) M. This raises the question of – Under which key should (1) each entry \(M[a ]\), and (2) the update instruction \((a ^*, m ^*)\) be encrypted?

Using the same key across all \(M[a ]\) fails as we discussed – all clients need to hold the same decryption key to access their data. Now we need to encrypt each \(M[a ]\) under a key independently generated for each \(a \). With O(n) communication and client computation, the client can just create n FHE-ciphertexts, each using a different key, and sends them to the server. With the poly-logarithmic constraint, we face a dilemma: Either the client informs the server about so that the latter knows which ciphertext it should update, which violates obliviousness; or the server would need to somehow evaluate \(\mathsf {Write}\) over \(a ^*\), \(m ^*\), and \(M[a ]\), where the first two are encrypted under , and the last is under , for \(a \in [n]\), and then it is unclear if correctness would hold. Multi-key FHE does not seem to be useful in this context because its homomorphic evaluation results in a ciphertext under a new combined key, which creates a complicated key-management problem and suffers from the problem of high interaction similar to the secure multi-party computation solution.

2.2 FHE-Based Construction

Our insight into resolving the dilemma is that some meaningful operations can actually be done over FHE ciphertexts encrypted under different keys. Specifically, we introduce a cross-key trial evaluation technique that interprets a ciphertext as one encrypted under a possibly mismatching key.Footnote 1 Below, we illustrate our technique with a simplified setting that is sufficient to capture the essence.

Cross-Key Trial Evaluation. Recall that the server database stores for \(a \in [n]\). To write, a client sends the encrypted instruction to the server, which evaluates for each the following simplified writing circuit, parameterized by , over and from the client, and from the server storage, by treating as if all of them were created under :

\(\mathsf {SimpleWrite}_{a}(\mathsf {addr}, \mathsf {data}', \mathsf {data})\): If \(\mathsf {addr} = a \), return \(\mathsf {data}' \); else return \(\mathsf {data} \).

For each \(a \in [n]\), the server overwrites the \(a \)-th ciphertext it stored with the ciphertext output by evaluating \(\mathsf {SimpleWrite}_a \). Let us examine what happens depending on whether \(a \) matches \(a ^*\) from the update instruction. If \(a = a ^*\), all three ciphertexts are encrypted under the same key; the server would get a ciphertext of , i.e., \(M[a ^*]\) is correctly overwritten with \(m ^*\).

If \(a \ne a ^*\), it seems paradoxical that this evaluation gives us anything meaningful since there is no correctness guarantee when homomorphic evaluations are performed under a wrong public key . However, as a matter of fact, the homomorphic evaluation still proceeds as if everything is encrypted under . Namely, it interprets its input, particularly the first ciphertext , as if it is encrypted under . With this treatment, it is very unlikely that is also a ciphertext of \(a \) under . More precisely, should be “independent” of \(a \) (we will revisit this shortly), and therefore the check \(\mathsf {addr} = a \) would most likely fail. Then, by the correctness of FHE, the evaluation would result in a new ciphertext encrypting \(\mathsf {data} = M[a ]\) under , i.e., entries \(M[a ]\) with \(a \ne a ^*\) remain unchanged.

The critical insight here is that the random outcomes of operating on a “wrong” ciphertext, with overwhelming probability, “match” with the desired behavior we expect as if cross-key evaluation is possible. Note that after each write operation, the entries are left in a consistent state, i.e., each entry \(M[a ]\) is still encrypted under , and the database size stays the same. For this to be true, our FHE scheme must satisfy a strong variant of correctness, where the evaluation algorithm must be well-defined and correct over the entire ciphertext space (and not necessarily in the support of a particular public key). In Sect. 4.2, we show how to generically transform any FHE scheme to satisfy this notion, provided that it meets some weak structural requirements.

Finally, the FHE scheme here needs to be key-private, i.e., ciphertexts under different keys are indistinguishable. Fortunately, essentially all known FHE schemes are key-private, as their ciphertexts are typically indistinguishable from uniformly sampled elements from the ciphertext space.

Achieving Integrity and a Formal Reduction. The above approach can provide writing functionality, but not integrity as everyone can encrypt using the keys . Furthermore, we relied on the heuristic that with high probability, which is difficult to guarantee formally.

We propose a technique that resolves both issues simultaneously using any signature scheme \(\varSigma \). Clients with writing rights to  are granted an address-dependent signing key . Instead of encrypting , the client computes and , where \(\sigma ^*\) is a signature of under , and r is a random nonce chosen by the server for each access. Correspondingly, the server homomorphically evaluates for each \(a \) the circuit , parameterized by , over the ciphertexts of , , and , again as if they are all ciphertexts under :

: If \(\mathsf {sig} \) is a valid signature of \((r, \mathsf {data}')\) under , return \(\mathsf {data}' \); else return \(\mathsf {data} \).

With a similar argument as above, \(M[a ]\) would be overwritten by if and \(\sigma ^*\) is a valid signature, which can only be generated by clients having writing rights to . Unlike using , we can further argue about the converse without relying on heuristics. Concretely, if but is a valid signature of under , we can extract a signature forgery with respect to the verification key , violating the unforgeability of the signature scheme. Consequently, it holds that when , would not be overwritten except with negligible probability.

Applications. The above technique can be generalized to enable (key-dependent) conditional evaluations of FHE ciphertexts, with the condition depends on not only the messages encrypted within but also the keys used to generate the ciphertexts. This feature is useful in (outsourced) access-control applications such as an “oblivious whitelisting firewall” that only allows incoming ciphertexts encrypted under one of the whitelisted keys to pass through without the firewall keeping any secret key.

Reducing Secret Key Size. So far, we have assumed that the data owner generates address-dependent secret keys, and grants clients reading and writing rights by delegating the keys for the corresponding addresses. In the worst case, data owner and client keys are of size linear in the size of the database.

A common technique to reduce the data-owner key size is to generate those address-dependent secret keys by a pseudorandom function (PRF). Towards reducing the client key size, a constrained PRF (cPRF) can be used. Recall that cPRF can create a constrained key \(K_X\) that constrains the PRF key K within some subset X of the domain. Given \(K_X\), one can evaluate the PRF on all inputs \(x \in X\), while the PRF values of all \(x \notin X\) remain pseudorandom. That means the data owner can delegate to the clients cPRF keys that allow derivation of the address-dependent secret keys. If the cPRF keys are succinct, e.g., of size sublinear in the size of X, the client key size is also short. For example, the well-known PRF construction by Goldreich, Goldwasser, and Micali [24] is a cPRF for prefix constraints with logarithmic-size keys.

On Sublinear Server Computation. The focus of our work is to minimize the communication complexity of the protocol. We note that recent works [7, 11] have investigated the possibility of sublinear server computation (with preprocessing) in PIR (essentially a read-only MCORAM with no access control) in the single-client setting, and have proposed a solution based on new hardness assumptions on permuted Reed-Solomon codes. They also consider the public-key setting, which does not require any secret state to read the database, i.e., multiple clients are allowed to query the database obliviously. Unfortunately, the only proposed solutions build on a strong notion of virtual black-box obfuscation. We consider constructing an MCORAM with sublinear server computation (from standard assumption) as a fascinating open problem.

2.3 DPF-Based Multi-server Construction

The scheme described above resolves the open question of communication efficiency for MCORAM using FHE schemes, which are yet to become efficient in a practical sense, and are only known to be realizable from lattices. Towards finding more practical solutions, to broaden the spectrum of assumptions, and to get a larger variety of MCORAM schemes, we turn our attention to the multi-server setting, in which we leverage the non-collusion between different servers. We restrict to the three-message setting where the servers do not talk to each other. This motivates the non-collusion assumption and rules out trivial constructions.Footnote 2

In this direction, we rely on another tool known as distributed point functions (DPF), which were shown to be useful in constructing PIR and in complexity theory [21], as well as private queries on public data [32]. A DPF allows a client to split a given point function into keys \((k_1, \dots , k_N)\). Given \(k_i\), one can locally evaluate the shared function at some input point to obtain a value \(z_i\). Computing \(z_1 + \cdots + z_N\) reconstructs the function output at the evaluated point. If the point function is hidden even if t-out-of-N shares are leaked, we call it a . The main efficiency measure for a DPF is the size of the shares, which can be as small as \(\log n\), where n is the size of the truth table of the point function.

We are going to build DPFs for new values of (tN) not achieved before. In particular, the existing query system [32] was only instantiated by \(({1},{2})\text {-}\mathsf {DPF}\).

From DPF to Multi-server MCORAM. There is a folklore \(N^2\)-server ORAM construction (a.k.a. distributed ORAM [9]) assuming only a \(({t},{N})\text {-}\mathsf {DPF}\). Using a DPF with communication, the construction achieves communication. While its server computation complexity is O(n), it has been shown to outperform other optimized competitors in practice [16]. More importantly, we observe that we can adopt this DPF-based scheme to the multi-client setting in a relatively simple manner.

On a very high level, the construction arranges a set of \(N^2\) servers in a square matrix according to some (e.g., lexicographical) ordering. The database M is split into N shares such that \(\bar{M}_1 + \cdots + \bar{M}_N = M\), and all servers belonging to the i-th row are given the i-th share \(\bar{M}_i\). Clients can read the -th location by sharing a point function (which evaluates to a bit-string with the \(a \)-th bit being 1) to each server in some i-th row. The responses from a server allow the client to decode the i-th share of . Repeating this for all N rows, the client could recover all shares and hence . Writing can be done similarly, except that shares of the DPF are distributed row-wise to keep the share of the databases consistent (see Sect. 7 for more details).

New DPF Constructions. With the generic transformation, we can focus on constructing DPFs. The only known DPF with (poly)logarithmic-size shares from non-lattice assumptions is due to Boyle et al.  [4]. They show how to construct a \(({1},{2})\text {-}\mathsf {DPF}\) with logarithmic-size shares, assuming only the existence of PRGs, which is equivalent to the existence of one-way functions. This yields a (1, 4)-MCORAM resilient against a single server.

For improving resilience against a higher number of faulty servers, we investigate new constructions of DPFs with different parameters. In this work, we build a \(({2},{3})\text {-}\mathsf {DPF}\) and a \(({3},{4})\text {-}\mathsf {DPF}\) with poly-logarithmic communication. These new constructions give us a (2, 9)-MCORAM and a (3, 16)-MCORAM, respectively.

The design blueprint is as follows. We start with a crucial observation that the evaluation algorithm of the existing \(({1},{2})\text {-}\mathsf {DPF}\) [4] can be run in an NC1 circuit by instantiating the underlying PRG appropriately. Our key insight into increasing the number of parties is a virtualization technique for emulating the execution of the DPF evaluation algorithm of each party by 2 servers. To realize such bootstrapping, we leverage another tool called homomorphic-secret sharing [6]. By applying our techniques to one or two parties, we obtain a \(({2},{3})\text {-}\mathsf {DPF}\) and a \(({3},{4})\text {-}\mathsf {DPF}\), respectively. Both schemes rely on a PRG that can be computed in NC0 (e.g., Goldreich PRG [23]) and either the decisional Diffie-Hellman (DDH) or the decisional composite residuosity (DCR) assumption.

3 Related Work

ORAM has been extensively studied for more than three decades, but mostly in the single client setting, with drastically different research challenges compared to the multi-client setting. For example, S\(^3\)ORAM [27] is a single-client ORAM that splits the server-side computation across 3 servers via secure multiparty computation, which we aim to avoid. Recent works [3, 13] considered how to preserve obliviousness when a large number of clients access the database in parallel, without considering security against malicious clients or access control. These works require the clients to synchronize with each other and periodically interact with the data owner, which is not needed by our MCORAM constructions.

ORAM and similar cryptographic techniques such as private information retrieval (PIR) [14, 28] have been utilized in building oblivious file systems (e.g., TaoStore [31] and prior works cited by [30, 31]). These systems do not support access control, and their obliviousness does not hold against malicious clients. (Also see [30, Table 1].) Oblivious transfer (OT) can be considered as an ORAM without writing. Camenisch et al.  [10] proposed OT with access control. Seeing a valid zero-knowledge proof of the client credential, the “server” helps the client decrypt one (randomized) entry of the encrypted database previously sent to the client. Since the decryption key is needed, the data owner should remain online.

Also relying on zero-knowledge proofs, group ORAM [29] allows the client to access the database according to a predefined policy without any interaction with the data owner. Yet, the obliviousness does not hold against malicious clients.

Blass, Mayberry, and Noubir [1] proposed “multi-client ORAM” in a model different from ours, in which all the clients trust each other. Their focus is security against a server that is actively malicious and may rewind the state information shared by multiple clients (and stored by the server).

A recent work of Hamlin et al.  [26] considered a closely related problem called private anonymous data access (PANDA), yet with some crucial differences. PANDA can be considered as combining the best of PIR and ORAM. It focuses on achieving sublinear server computation, leveraging assumptions such as only t out of the N clients can be corrupt for some predefined threshold t, and the set of clients are fixed at setup. In contrast, MCORAM allows any subset of the clients to be corrupt, and clients can dynamically join the system. All PANDA schemes have both communication and computation complexities scale multiplicatively in t. One of their schemes (Secret-Writes PANDA) achieves the closest functionality aimed by MCORAM. However, writing is append-only, meaning that their server storage grows linearly in the total number of writes performed by all clients. Reads and writes are also distinguishable. While one could hide the access type by performing dummy reads and writes, the append-only nature makes the server storage grows linearly in the number of reads and writes. In short, MCORAM with communication provides a better alternative with no reliance on the client corruption threshold for security or communication efficiency.

4 Preliminaries

Let denote probabilistic polynomial time. The security parameter is denoted by . We say that a function is negligible if it vanishes faster than any inverse polynomial. We write the set as [N].

4.1 Constrained Pseudorandom Functions

A constrained PRF (cPRF) [2] is a PRF equipped with the additional algorithms \(\mathsf {Constrain} \) and \(\mathsf {cEval} \). Let be the domain of the PRF. For any subset \(X \subseteq \mathcal {X} \), \(\mathsf {Constrain} \) produces a constrained key \(K_X\) from the secret key K. Given \(K_X\), \(\mathsf {cEval} \) can evaluate the PRF over any input \(x \in X\), yet the PRF values for \(x' \notin X\) remain pseudorandom. We focus on polynomial-size domains, so the membership \(x \in X\) for any \(X \subseteq \mathcal {X} \) can be checked in polynomial time.

Definition 1

(Constrained Pseudorandom Functions). A constrained pseudorandom function family with domain \(\mathcal {X} \) and range \(\mathcal {Y} \) is defined as a tuple of algorithms such that:

On input the security parameter \(1^\lambda \), the key generation algorithm returns a secret key K.

On input the secret key K and a value \(x \in \mathcal {X} \), the deterministic evaluation algorithm returns a (pseudorandom) value \(y \in \mathcal {Y} \).

On input the secret key and a set \(X \subseteq \mathcal {X} \), the constrain algorithm returns a constrained secret key \(K_X\).

On input a constrained key \(K_X\) and a value \(x \in \mathcal {X} \), the deterministic constrained evaluation algorithm returns a value \(y \in \mathcal {Y} \) or \(\bot \).

We only require a cPRF to satisfy weak selective-input variants of correctness and pseudorandomness, where the adversary first commits to a set \(\mathsf {ChSet}\) before given access to the evaluation and constrain oracles. The adversary promises not to query the oracles over inputs which has any intersection with \(\mathsf {ChSet}\).

Fig. 1.
figure 1

Correctness and Pseudorandomness Experiments for Constrained PRFs

Full size image

Definition 2

A constrained PRF \(\mathsf {cPRF} \) with domain \(\mathcal {X} \) and range \(\mathcal {Y} \) is said to be selective-input correct if, for all algorithms , it holds that

where is defined in Fig. 1.

Definition 3

A constrained PRF \(\mathsf {cPRF} \) with domain \(\mathcal {X} \) and range \(\mathcal {Y} \) is said to be selective-input pseudorandom if, for all algorithms , it holds that

where is defined in Fig. 1.

4.2 Fully Homomorphic Encryption

Definition 4

(Fully Homomorphic Encryption). Let be a secret key space, be a plaintext space, and be a ciphertext space. For each , let \(\mathbb {C}_n\) be the set of all polynomial-size circuits from . A homomorphic encryption scheme is defined as a tuple of algorithms below.

On input the security parameter , this key generation algorithm returns a pair of public and secret keys where .

On input and a message , this encryption algorithm returns a ciphertext .

On input and a ciphertext , this decryption algorithm returns the plaintext .

On input a public key , a polynomial-size circuit , and a set of ciphertexts for some , this evaluation algorithm returns an evaluation output .

Fix . For each , we recursively define

to be the space of “well-formed” ciphertexts under the key , i.e., all ciphertexts produced by and . Apparently, .

Typically, the decryption algorithm is only required to be well-defined over for , but not necessarily over the entire ciphertext space \(\mathcal {C} \) (which includes ciphertexts produced under other public keys).

Correspondingly, evaluation correctness is defined upon “valid” ciphertexts.

In this work, we explicitly require the decryption algorithm of an FHE to be well-defined over the entirety of , in the sense that it always outputs something in the message space \(\mathcal {M} \) (albeit the message obtained when decrypting with a wrong key might be unpredictable). We also require the scheme to satisfy a stronger variant of evaluation correctness over all ciphertexts in \(\mathcal {C} \). We bundle these extra requirements into the strong correctness property.

Correctness. An FHE scheme is correct if the following are satisfied.

  • (Decryption Correctness) For any , any , and any message \(m \in \mathcal {M}\), we have that

    where the probability is taken over the random coins of .

  • (Evaluation Correctness) For any , any , any positive integer , any polynomial-size circuit \(\mathsf {C} \in \mathbb {C}_n\), any ciphertexts , if there exists , then

    where the probability is taken over the random coins of and .

The scheme is perfectly correct if the above probabilities are exactly 1.

Strong Correctness. A strongly-correct FHE scheme satisfies all below.

  • (Decryption Correctness) Same as in the (usual) correctness definition above.

  • (Well-Defined Decryption) is well-defined over , i.e., for any , there exists \(m \in \mathcal {M} \) such that .

  • (Strong Evaluation Correctness) Evaluation correctness holds even for ciphertexts taken in \(\mathcal {C} \). Formally, for any , any , any positive integer , any polynomial-size circuit \(\mathsf {C} \in \mathbb {C}_n\), any ciphertexts (possibly with ), if there exists for all \(i \in \{1, \dots , n\}\), then

    where the probability is taken over the random coins of and .

The scheme is perfectly strongly correct if the above probabilities are exactly 1.

Security. We recall the standard IND-CPA-security and define a new notion called IK-IND-CPA-security, which combines key privacy and message indistinguishability. We also recall the notion of circular security.

Fig. 2.
figure 2

Security Experiments of FHE ( is the state information of )

Full size image

Definition 5

(IND-CPA). An FHE scheme \(\mathcal {E} \) is IND-CPA-secure (has indistinguishable messages under chosen-plaintext attack) if for any adversary , it holds that

where is defined in Fig. 2.

Definition 6

(IK-IND-CPA). An FHE scheme \(\mathcal {E} \) is IK-IND-CPA-secure (has indistinguishable keys and indistinguishable messages under chosen-plaintext attack) if for any adversary , it holds that

where is defined in Fig. 2.

Definition 7

(Circular Security). Let \(\mathcal {E} \) be an FHE scheme such that . \(\mathcal {E} \) is circular secure if for any adversary , it holds that

where is defined in Fig. 2.

Instantiations. While IND-CPA security is the de facto standard of FHE schemes, virtually all of them satisfy the stronger notion of IK-IND-CPA security. This is because FHE ciphertexts are typically indistinguishable from elements uniformly sampled from the ciphertext space (see, e.g.  [20]).

Typically, FHE schemes are proven to satisfy the standard correctness notion. Below, we show how these schemes can be transformed into one with strong correctness, assuming circular security and the decryption algorithm is well-defined over \(\mathcal {K} \times \mathcal {C} \). The former assumption is “for free” as it is already needed for bootstrapping the FHE scheme [18]. The latter is already satisfied by most existing FHE schemes and can be otherwise obtained by artificially extending the decryption algorithm to be well-defined over any input. For the case of FHE schemes based on learning with errors (LWE), typically consists of an inner product of two vectors in , followed by rounding. Thus is well defined for any pair of vectors in if we set .

Let be such an FHE scheme. A public key in our transformed scheme \(\mathcal {E} '\) is of the form where is an encryption of the secret key under . The secret key is identical to . The encryption (with input ) and decryption algorithms of \(\mathcal {E} \) and are identical.

The evaluation algorithm , on input , a circuit \(\mathsf {C} \in \mathbb {C}_n\), and (not necessarily well-formed) ciphertexts \((c_1,\ldots ,c_n) \in \mathcal {C} ^n\) works as follows:

  • homomorphically decrypts \(c_i\) using for each \(i \in [n]\), i.e., compute

  • then, evaluates \(\mathsf {C} \) homomorphically over \((c'_1,\ldots ,c'_n)\), i.e., output

Clearly, if \(\mathcal {E} \) is IK-IND-CPA-secure and circular secure, then \(\mathcal {E} '\) is IK-IND-CPA-secure. To see why \(\mathcal {E} '\) has strong correctness, we note that by construction and is well-defined over for all \(i \in [n]\) by assumption. Therefore, by the (standard) correctness of \(\mathcal {E} \), for all \(i \in [n]\), . Next, since for all \(i \in [n]\), we have . Using the (standard) correctness of \(\mathcal {E} \) again, if for all \(i \in [n]\), then as we desired.

To draw an analogy to LWE-based schemes, even though \((c_1,\ldots ,c_n)\) might have very large noise (with respect to ), is executed over , which is well-formed (has small noise) and \((c_1,\ldots ,c_n)\) are just constants in the description of the circuits . This is analogous to Gentry’s bootstrapping procedure [18] and works for exactly the same reason.

Our modification essentially introduces an additional bootstrapping step before every homomorphic evaluation. Thus, fast bootstrapping techniques can be applied to make the overhead we added minimal when compared to the cost of the homomorphic evaluation. As the communication complexity of our scheme depends on the rate (message-to-ciphertext size ratio) of the FHE scheme, one can achieve optimal communication (for large enough data blocks) by using the rate-1 FHE [8, 19]. It is not hard to see that those schemes also satisfy the notion of IK-IND-CPA security (since ciphertexts are identical to those of [20]).

4.3 Distributed Point Functions

A point function is a function whose images are zero at all points except one.

Definition 8

(Point Function). A point function \(F_{a,b}:\{0,1\}^d \rightarrow \{0,1\}^r\), for \(a \in \{0,1\}^d\) and \(b \in \{0,1\}^r\), is defined by \(F_{a,b}(a) = b\), and \(F_{a,b}(c) = 0^r\) if \(c\ne a\).

Unless differently specified, we interpret the output domain \(\{0,1\}^r\) of F as an Abelian group with respect to the group operator \(\oplus \).

A distributed point function (DPF) allows secret-sharing a point function f to multiple servers. The servers can locally evaluate the shared function at any point x and produce output shares, which can be combined to recover f(x).

Definition 9

(Distributed Point Function [4]). For and \(t \in [N]\), a \(({t},{N})\text {-}\mathsf {DPF}\) is a tuple of algorithms defined as follows.

On input the security parameter \(1^\lambda \) and the description of a point function \(F_{a,b}\), the key generation algorithm returns N keys \((k_{1}, \dots , k_{N})\).

On input a party index i, a key \(k_i\), and a string \(x \in \{0,1\}^d\), the evaluation algorithm returns a share \(s_i\).

On input a set of shares \((s_{1}, \dots , s_{N})\), the decoding algorithm returns the function output y.

We consider an N-party additive output decoder for an Abelian group that returns \(y = \sum ^N_{i=1} s_{i}\) on input . We state a relaxed correctness notion that allows the evaluation algorithm to have an error \(\varDelta \), and recall the standard notion of security.

Definition 10

(\(\varDelta \)-Correctness). A is correct if there exists an inverse polynomial error bound \(\varDelta \) such that for all , \(x \in \{0,1\}^d\), and point functions \(F_{a,b}\),

If \(\varDelta = 0\) then we say that the scheme is perfectly correct.

Definition 11

(Security). A is secure if there exists a negligible function such that for all , subsets \(T \subseteq [N]\) such that \(|T| = t\), all non-uniform distinguishers , it holds that

Boyle et al.  [4] showed that \(({1},{2})\text {-}\mathsf {DPF}\) can be built from one-way functions.

Theorem 3

([4]). A perfectly-correct \(({1},{2})\text {-}\mathsf {DPF}\) of -size key can be built from one-way functions.

We also observe that the complexity of the algorithm in their construction [4] is dominated by d-many sequential evaluations of a length-doubling PRG. This fact is going to be useful for our later construction.

4.4 Homomorphic Secret Sharing

Homomorphic secret sharing (HSS) can be seen as generalizing a distributed point function where the evaluation algorithm supports the evaluation of more complex circuits. We focus on single-client HSS. In such a scheme, a single client secret shares an input x to multiple servers. These servers can then locally evaluate any circuit C in the supported class of circuits to produce some output shares. The value C(x) can then be recovered by combining these output shares.

Definition 12

(Homomorphic Secret Sharing [6]). For , \(t \in [N]\), a \(({t},{N})\text {-}\mathsf {HSS}\) for a circuit family \(\mathcal {C}\) is defined by the following algorithms:

On input the security parameter \(1^\lambda \) and an input x, the share generation algorithm returns a set of shares \((s_{1}, \dots , s_{N})\).

On input a party index i, a share \(s_{i}\), and a circuit \(C \in \mathcal {C}\), the evaluation algorithm returns an evaluated share \(z_{i}\).

On input a set of shares \((z_{1}, \dots , z_{N})\), the decoding algorithm returns the output y.

We say that an HSS scheme is compact if the size of the output shares does not grow with the size of the circuit given as input to the algorithm. We define correctness where the evaluation algorithm may incur an error with probability at most \(\varDelta \), for some inverse polynomial function \(\varDelta \).

Definition 13

(\(\varDelta \)-Correctness). A is correct if there exists an inverse polynomial error bound \(\varDelta \) such that for all , inputs x, and circuits \(C\in \mathcal {C}\), we have that

Security is defined canonically.

Definition 14

(Security). A is secure if there exists a negligible function such that for all , subsets such that \(|T| = t\), all non-uniform distinguishers , it holds that

It is useful to recall a theorem from Boyle et al.  [5], where they propose an HSS scheme for NC1 circuits assuming the hardness of the DDH problem. There also exists a similar construction based on the hardness of the DCR problem [17].

Theorem 4

([5]). If the DDH problem is hard, there exists a compact \(\varDelta \)-correct \(({1},{2})\text {-}\mathsf {HSS}\) for circuits in NC1, for any inverse polynomial \(\varDelta \).

5 Multi-client ORAM and Its Simulation-Based Security

5.1 Syntax

MCORAM was introduced by Maffei et al.  [29] and later extended to the malicious client setting [30]. Existing MCORAM definitions are mostly verbal, which left many subtleties. We recall (a slightly rephrased version of) its definition.

Definition 15

An MCORAM scheme for message space consists of a  algorithm \(\mathsf {Setup} \) and protocols \((\mathsf {ChMod}, \mathsf {Access})\) executed between a data owner \({D}\), polynomially many independent instances of client \({C}\), and a server \({S}\):

: The setup algorithm is run by the database owner \({D}\). It inputs the security parameter , a size parameter n, and an array \(M \in \mathcal {M} ^n\) of initial data. It outputs the public parameter \(\mathsf {pp} \) (an implicit input of all other algorithms), the master secret key \(\mathsf {msk} \) (to be kept secret by the owner \({D}\)), and a database \(\bar{M}\) (to be forwarded to the server \({S}\)).

: The data owner \({D}\) grants access rights to a client \({C}\), possibly with the help of the server \({S}\), using the change-mode protocol. If \({C}\) has not joined the system yet, it is assumed that . The basic model only allows granting additional rights.

To run \(\mathsf {ChMod} \), \({D}\) inputs the master (owner) secret key \(\mathsf {msk} \), a client identifier \(\mathsf {id} \in \{0,1\}^{*} \), and two sets \(A_R, A_W \subseteq [n]\) of addresses. \({C}\) inputs his secret key , and the same sets of addresses \(A_R\) and \(A_W\). The server \({S}\) inputs the database \(\bar{M}\). Supposedly, \({C}\) will be granted reading rights to \(A_R\), and writing rights to \(A_W\).

At the end of \(\mathsf {ChMod} \), \({D}\) outputs a the empty string \(\epsilon \). \({C}\) outputs an updated secret key . \({S}\) outputs a possibly updated database \(\bar{M}'\).

: To access a certain address of the memory, client \({C}\) engages in the access protocol with the server. The client \({C}\) inputs its secret key , an address \(a \in [n]\), and some data . Read access is indicated by . Otherwise, the data is to be written to the address . The server \({S}\) inputs \(\bar{M}\). Regardless of the type of access, the client outputs some data \(m '\) read from the address , while the server updates its database to \(\bar{M}'\).

It is straightforward to extend the MCORAM syntax and security definitions to the multi-server setting. \(\mathsf {Setup} \) outputs multiple encoded databases \(\bar{M}_1, \ldots , \bar{M}_N\) to be maintained by the respective servers. \(\mathsf {ChMod} \) becomes an \((N + 2)\)-party protocol between the database owner \({D}\), the client \({C}\), and the servers \({S}_1, \ldots , {S}_N\). The outputs of \({D}\) and \({C}\) remain unchanged, while \({S}_i\) outputs an updated database \(\bar{M}'_i\). Similarly, \(\mathsf {Access} \) becomes an \((N + 1)\)-party protocol between the client \({C}\) and \({S}_1, \ldots , {S}_N\). Their outputs are defined analogously.

Although our model allows \(\mathsf {ChMod} \) and \(\mathsf {Access} \) to be general multi-party protocols, we are primarily interested in constructions where the servers do not communicate with each other to better justify the non-colluding assumption.

5.2 Correctness and Integrity

An MCORAM scheme should not only be correct but satisfy an even stronger property called integrity (subsuming correctness): The database entry at the address \(a \) can only be changed by clients having write access to \(a \), other clients who might attempt to maliciously tamper with the data of the honest clients will fail. It is a unique property here and is absent in the single-client setting.

Fig. 3.
figure 3

MCORAM’s Integrity against Malicious Clients and Honest-but-Curious Server

Full size image

More formally, integrity is modeled by an experiment involving an adversary . The experiment acts as an honest MCORAM server, provides the interface of an MCORAM instance to , i.e., can request to corrupt a client, request for access permissions on behalf of a client, and access the data. To capture the notion of correctness, maintains a plaintext copy of the MCORAM-encoded database, i.e., all accesses are mirrored to the plaintext copy. The winning condition of is to make the maintained plaintext copy of the database ends up inconsistent with the one encoded in the MCORAM.

Definition 16

(Integrity of MCORAM). An MCORAM \(\varTheta \) has integrity if, for all  adversaries , size parameters , and arrays , with experiment \(\mathsf {Int}\) as defined in Fig. 3, we have

Integrity in the multi-server setting is almost identical, except that all oracles now return the views of all servers, which reflects that they are all honest but curious. However, integrity in this setting seems challenging to achieve, especially if we assume that the servers do not communicate with each other. Instead, one may consider a weaker notion known as accountable integrity (defined in the single-server setting [29]), which requires that any violation of integrity can be caught after-the-fact. Extending it to the multi-server setting is straightforward.

5.3 Obliviousness

Access in MCORAM is fully specified by , meaning that client \(\mathsf {id} \) is reading address \(a \) (if \(m = \epsilon \)) or writing \(m \) to address \(a \). Obliviousness mandates that such information would not be leaked to any other parties, unless the access is write access and the parties have read access to \(a \).

Fig. 4.
figure 4

Obliviousness Experiment of MCORAM against Malicious Clients and Server

Full size image

More formally, (indistinguishability-based) obliviousness is modeled by a pair of experiments, labeled by \(b = 0,1\) respectively, involving an adversary . As in the integrity experiment, the experiments provide the interface of an instance of MCORAM to , with some differences. First, has to provide malicious server codes to the interfaces, which models the setting where the server is always trying to compromise clients’ obliviousness. Second, the interface for the access protocol is parameterized by the bit b (which specifies the experiment) and takes as input two access instructions for \(\beta \in \{0,1\}^{} \). The interface would execute instruction labeled with \(\beta = b\). After some interactions with the interface, would output a bit \(b'\), which can be interpreted as a guess of b. An MCORAM is said to be (indistinguishably) oblivious against malicious clients if the probabilities of outputting 1 in either experiment are negligibly close.

Definition 17

(Indistinguishability-based Obliviousness). An MCORAM scheme \(\varTheta \) is indistinguishably oblivious against malicious clients if, for all , all and , all arrays , with \(\mathsf {Obl}\) as in Fig. 4,

So far, we followed Maffei et al.  [29] and defined an indistinguishability-based obliviousness definition. However, when constructing higher-level protocols, it is often more convenient to prove security based on simulation-based security notions of the building blocks. We thus propose a new simulation-based obliviousness definition for MCORAM, which turns out to be an equivalent one.

Our simulation-based obliviousness notion is also modeled by a pair of experiments involving an adversary , called the real and ideal experiment, respectively. Both experiments provide the interface of an MCORAM instance to . However, the way that queries to the interface are answered varies greatly.

Fig. 5.
figure 5

Real Experiment for Obliviousness against Malicious Clients and Server

Full size image
Fig. 6.
figure 6

Ideal Experiment for Obliviousness against Malicious Clients and Server

Full size image

In the real experiment, the interface is backed by a real execution of the MCORAM instance (as in the integrity experiment), where needs to provide the malicious server code (as in the indistinguishability-based obliviousness experiment). Answering a query in the ideal experiment generally invokes a simulator with the leakage of the query as the input. For example, upon receiving a query to the interface for the access protocol, if has read access to and \(m \ne \epsilon \), then is given \((a,m)\). Otherwise, is given no information (other than the fact that the query is issued to the access interface). In any case, given such a leakage, is supposed to simulate the response of a real execution. After some interactions, would output a bit \(b'\), which can be interpreted as a guess of whether it has interacted with the real experiment or the ideal experiment. An MCORAM is said to be semantically oblivious against malicious clients if the probabilities of outputting 1 in either experiment are negligibly close.

Definition 18

(Semantic Obliviousness). An MCORAM scheme \(\varTheta \) is semantically oblivious against malicious clients if, for all  adversaries , all  and , and all arrays , there exists a  simulator , with and as defined in Figs. 5 and 6 respectively, such that

The above two definitions can be shown equivalent using arguments for proving similar statements in encryption. See the full version for formal treatment.

Extending obliviousness to the multi-server setting where at most t of the N servers are corrupt is slightly more complicated. To model this, we modify the security experiments such that all N servers are initially honest, and at most t of them can be corrupted using a modified \(\mathsf {Corr} \mathcal {O} \) oracle. Correspondingly, the inputs of the modified \(\mathsf {ChMod} \mathcal {O} \) oracle and \(\mathsf {Access} \mathcal {O} \) oracle now include at most t pieces of malicious codes \(\{{S}^*_j\}\) for the respective servers, such that \({S}^*_j\) will be used to generate the communication transcript if server j is corrupt.

6 FHE-based Single-Server Construction

6.1 Formal Description

Fix a database size with . Let \(\mathsf {cPRF} \) be a constrained PRF family (Sect. 4.1) with domain . Let be an FHE scheme (Sect. 4.2) with message space . Let be a signature scheme with message space . For any array , nonce , and public key of \(\varSigma \), we define the following circuits:

Fig. 7.
figure 7

FHE-based Single-Server MCORAM Construction

Full size image

With the above, Fig. 7 presents an MCORAM \(\varTheta \) for the message space . We highlight some key steps. We assume for now that the data owner \({D}\) generates the keys and for during setup, and publishes all public keys as public parameters. Naturally, the keys indexed by \(k \in [n]\) corresponds to the n addresses of the database, while the keys indexed by 0 are reserved for other purposes. The database at the server S is , where . Reading and writing rights to an address \(a \in [n]\) is granted to a client \({C}\) by simply sending to \({C}\) the key and , respectively.

To obliviously access an address , the client \({C}\) first requests a nonce r from the server S. \({C}\) then generates a fresh FHE key , and uses it to encrypt in \(c_0\). Then, for a write access, \({C}\) uses to sign r and the data m to be stored, and encrypts the resulting signature \(\sigma \) in \(c_1\) and m in \(c_2\). For a read operation, \({C}\) sets both \(\sigma \) and m to 0, and uses to generate \(c_1\) and \(c_2\) instead.

As \({S}\) is supposedly oblivious to the address, it homomorphically evaluates the reading circuit parameterized by the entire database \(\bar{M}\) over \(c_0\). This results in a ciphertext encrypting \(m_a \) under , whose secret key is only known by \({C}\). \({S}\) also evaluates the writing circuit over \((c_1, c_2, \bar{m}_k)\) for each address \(k \in [n]\). Under the hood of FHE, checks if \(\sigma \) is a valid signature of (rm) w.r.t. , and if so (\({C}\) has writing rights to k and intends to write m there), returns a ciphertext encrypting the new m under . If not, would be encrypting \(m_k\) (the original data) under . Regardless of the result (which \({S}\) is oblivious to), \({S}\) updates the k-th entry of the database to \(\bar{m}'_k\).

To reduce the size of the master secret key, \({D}\) can derive the \(\mathcal {E} \) and \(\varSigma \) keys using the pseudorandomness generated by \(\mathsf {cPRF} \). Correspondingly, \({D}\) sends the appropriately constrained PRF keys, so that the clients can re-derive the \(\mathcal {E} \) and \(\varSigma \) secret keys. If \(\mathsf {cPRF} \) features succinct constrained keys (of size sublinear in the description size of the constraining set), then the MCORAM features succinct client keys (of size sublinear in the number of permitted addresses).

6.2 Security

Integrity requires that data written honestly can be successfully read by honest clients, which largely follows from the correctness of the building blocks. The more challenging requirement is to ensure the adversary can not overwrite entries without write access. We first use the correctness of FHE and the signature scheme to argue that, unless a valid signature of a random nonce is given, an entry would never be overwritten, then we argue for its unforgeability.

Obliviousness is intuitive, too, because a client always sends a fresh public key and three FHE ciphertexts during access, regardless of the access type. Although the ciphertexts are generated using keys that may depend on the access, we can rely on the key privacy of FHE and argue that they are still indistinguishable. The proofs for our theorems can be found in the full version.

Theorem 5

If \(\mathsf {cPRF} \) is selective-input correct and pseudorandom, \(\mathcal {E} \) is strongly correct, \(\varSigma \) is correct, and \(\varSigma \) is EUF-CMA-secure, then \(\varTheta \) has integrity.

Theorem 6

If \(\mathsf {cPRF} \) is selective-input pseudorandom, and \(\mathcal {E} \) is IND-CPA-secure and IK-IND-CPA-secure, then \(\varTheta \) is oblivious.

6.3 Access Rights Revocation

Generic techniques for revocation are compatible with our construction. First of all, the data owner could always re-encrypt database entries and/or re-generate the corresponding signature verification keys. However, this requires the data owner to re-grant the access rights of the refreshed entries from scratch. Using a constrained PRF for a powerful enough class of constraints, we can save the data owner from some troubles in always re-granting the keys to the clients.

Recall that cPRF is used for deriving the address-dependent secret keys. To support revocation, we consider an equivalent formulation of cPRF, where the PRF key is constrained by a predicate P, such that the constrained key allows evaluations of the PRF over the inputs x satisfying \(P(x) = 1\). The core idea is to put the latest client revocation list as an input of P for deriving the latest keys.

In more detail, the data owner publishes (e.g., via the server) the client revocation lists and for each , which contain the identifiers of clients whose read access and respectively write access to address have been revoked. Suppose client \(\mathsf {id} \) is entitled to read access to addresses \(a \in A_R\) and write access to addresses , respectively. The data owner delegates to client \(\mathsf {id} \) a PRF key constrained with respect to the following predicate \(P_{A_R,A_W,\mathsf {id}}\) parameterized by \(A_R\), \(A_W\), and \(\mathsf {id} \) (i.e., they are embedded in the constraint key):

\(P_{A_R,A_W,\mathsf {id}}(\mathsf {op},\mathsf {addr},\mathsf {CRL})\): If \((\mathsf {id} \notin \mathsf {CRL}) \wedge ((\mathsf {op} = \mathrm {Read} \wedge \mathsf {addr} \in A_R) \vee (\mathsf {op} = \mathrm {Write} \wedge \mathsf {addr} \in A_W))\), return 1; else return 0.

The last input \(\mathsf {CRL}\) can be changing (\(\mathcal {L}_{\mathrm {Read}}\) or \(\mathcal {L}_{\mathrm {Write}}\)). We still use the PRF output to generate the signing and verification keys for the address \(a \), but it would be the PRF value on \((\mathrm {Write}, a, \mathcal {L}_{\mathrm {Write}, a})\) for write access, for example. If \(a \in A_W\) and \(\mathsf {id} \notin \mathcal {L}_{\mathrm {Write}, a}\), client \(\mathsf {id} \) can evaluate the PRF on \((\mathrm {Write}, a, \mathcal {L}_{\mathrm {Write}, a})\), and hence derive the signing key needed for write access to \(a \).

To revoke (more) clients their write access to \(a \), the data owner informs the server of a new verification key (which is a PRF value of the new blacklist). Read access can be revoked similarly, except that the data owner would need to re-encrypt those database entries whose revocation policies have been changed.

7 DPF-based Multi-server Construction

7.1 Our Distributed Point Function

Let be a \(({1},{2})\text {-}\mathsf {DPF}\) such that is in NC1, and let be a homomorphic secret sharing as defined in Sect. 4.4 for NC1 circuits. Figure 8 shows our \(({3},{4})\text {-}\mathsf {DPF}\) construction. The \(({2},{3})\text {-}\mathsf {DPF}\) follows a straightforward modification, which we include in the full version.

Theorem 7

(Correctness). Let \(\hat{\varDelta }\) and \(\tilde{\varDelta }\) be inverse polynomials. Let \(({1},{2})\text {-}\mathsf {DPF}'\) be a \(\hat{\varDelta }\)-correct distributed point function and let \(({1},{2})\text {-}\mathsf {HSS}\) be a -correct homomorphic secret sharing. Our construction in Fig. 8 is a \(\varDelta \)-correct \(({3},{4})\text {-}\mathsf {DPF}\), for some inverse polynomial \(\varDelta \).

Theorem 8

(Security). Let \(({1},{2})\text {-}\mathsf {DPF}'\) be a secure distributed point function and let \(({1},{2})\text {-}\mathsf {HSS}\) be a secure homomorphic secret sharing. The construction in Fig. 8 is a secure \(({3},{4})\text {-}\mathsf {DPF}\).

The proofs of Theorems 7 and 8 can be found in the full version.

Instantiations. By Theorem 4, there exists a \(({1},{2})\text {-}\mathsf {HSS}\) for NC1 circuits with share size , which is \(\varDelta \)-correct for any inverse polynomial \(\varDelta \), assuming the hardness of the DDH (or DCR) problem. By Theorem 3, there exists a perfectly-correct \(({1},{2})\text {-}\mathsf {DPF}'\) with key size, where \(\{0, 1\}^d\) is the domain of the point function, assuming the existence of one-way functions. What is left to be shown is that our \(({3},{4})\text {-}\mathsf {DPF}\) is efficient when plugging in these two building blocks. More precisely, we will show that of the \(({1},{2})\text {-}\mathsf {DPF}'\) is computable by an NC1 circuit. Recall that the complexity of the algorithm of [4] is dominated by d calls for a length-doubling PRG. For a point function with a polynomial-size domain, we can set \(d = c\log (\lambda )\), for some constant c, then implementing the length-doubling PRG with a construction in NC0 (such as Goldreich PRG [23]) gives us an evaluation algorithm computable by an NC1 circuit. The size of the resulting keys of our \(({3},{4})\text {-}\mathsf {DPF}\) is . We thus obtain:

Fig. 8.
figure 8

\(({3},{4})\text {-}\mathsf {DPF}\) Construction

Full size image

Corollary 1

If the DDH or DCR problem is hard and there exists a PRG in NC0, there exists a \(\varDelta \)-correct \(({3},{4})\text {-}\mathsf {DPF}\) for any inverse polynomial \(\varDelta \), for functions with polynomial-size domain \(\{0, 1\}^d\) with key size .

Fig. 9.
figure 9

DPF-based Multi-Server MCORAM Construction

Full size image

7.2 Multi-client ORAM from Distributed Point Functions

As described in the introduction, there exists a folklore way (e.g., [9]) to construct distributed ORAM (DORAM) with stateless client from any \(({t},{N})\text {-}\mathsf {DPF}\) with linear reconstruction. Such a DORAM can be further transformed into a multi-server MCORAM by equipping it with access control. Incorporating reading rights (while achieving obliviousness) is straightforward via encryption. Granting meaningful writing rights and achieving integrity, however, seems impossible in the setting where the servers cannot communicate (even indirectly).

To show the legitimacy of an update, the client needs to prove the knowledge of a witness for a statement about the database, which is secret-shared among the servers. As any single server has no information about the statement, the proof cannot be verified during the access. (We discuss an alternative later). In Fig. 9, we propose a transformation in a simplified setting where all clients have writing rights to all addresses by default, so the \(\mathsf {ChMod} \) protocol is used only for granting reading rights (via decryption keys). In this setting, the syntax of \(\mathsf {ChMod} \) can be simplified, which inputs a set of addresses A (cf., \(A_R\) and \(A_W\)).

Figure 9 assumes \(N^2\) servers, indexed by \((i,j) \in [N]^2\), with at most t of them collude. Each entry \(M[a ]\) of the initial data array M is first encrypted with an independent public key of a public-key encryption scheme \(\mathcal {E} \), and then secret-shared using the additive N-out-of-N secret sharing scheme. The (ij)-th server gets the i-th share \(\bar{M}_i\) of the ciphertext. We use independent encryption and decryption keys for each address for simplicity. The master and client secret key sizes can be reduced using constrained PRFs as in the FHE-based construction.

To access address \(a \), the client generates fresh DPF keys \((k_1, \ldots , k_N)\) for the point function \(F_{a,1}\), and sends \(k_j\) to server (ij) for \((i,j) \in [N]^2\). Using the additive reconstruction property of the DPF, the (ij)-th server can compute the j-th share of \(\bar{M}_i[a ] = \sum _{a ' \in [n]} F_{a,1}(a ') \bar{M}_i[a ]\). Collecting all \(N^2\) shares, the client can recover \(\bar{M}[a ]\), and decrypt it using to get \(M[a ]\). Regardless of whether logical access is a read or a write, the client must write something to ensure obliviousness. In case of a write access, the client encrypts the new data item as \(\bar{m}\), and sets \(b := \bar{m} - \bar{M}[a ]\); in case of a read access, the client sets \(b := 0\). The client then generates another fresh tuple of DPF keys \((k_1,\ldots ,k_N)\) for the point function \(F_{a,b}\), and sends \(k_i\) to server (ij) for \((i,j) \in [N]^2\). Using the reconstruction property again, the i-th row of servers can obtain, for each \(a ' \in [n]\), the same i-th share of \(\bar{M}'[a ']\) being \(\bar{M}[a ']\) for \(a ' \ne a \), \(\bar{m}\) otherwise.

Properties of The Resulting Multi-Server MCORAM. Since the DPF is resilient against the disclosure of any \(t < N\) shares, the multi-server (MC)ORAM scheme is secure against a \(t / N^2\) fraction of corruptions. One can show that the scheme is oblivious with a simple reduction to the security of DPF.

Meaningful selective writing rights can be granted by settling for accountable integrity. The techniques for it are rather standard [29]. Roughly, assuming there is an underlying versioning system (as in a typical storage system) that stores each (encrypted) update instruction, we additionally require the client to anonymously sign the update with traceable signatures (e.g., [15]). The data owner can then trace the misbehaving party via the anonymity revocation mechanism.

Consistency is another issue. Due to the underlying HSS [5], our DPF might fail with a certain probability. This is undesirable, especially for write operations, as it would leave the database in a corrupted state. Fortunately, the same HSS [5] allows the servers to detect potential errors; thus, they can abort accordingly.

Finally, note that we can even use different DPF algorithms of different parameters for read and write. This allows some tunable trade-offs, e.g., using a \(({t},{N})\text {-}\mathsf {DPF}\) for write and a \(({t'},{N'})\text {-}\mathsf {DPF}\) for read brings the threshold/server-ratio to . Specifically, using a \(({t},{N})\text {-}\mathsf {DPF}\) for write and a \(({1},{1})\text {-}\mathsf {DPF}\) (i.e., a PIR scheme) for read brings the threshold/server-ratio down to t/N.

8 Concluding Remarks

Since many techniques for constructing single-client ORAM break down completely when the client can be corrupt, it was unclear whether the poly-logarithmic communication complexity of ORAM can be attained by MCORAM with an access control mechanism and obliviousness against fellow clients. We devise a cross-key trial evaluation technique and two new distributed point functions for building (multi-server) MCORAM with poly-logarithmic communication complexity. Besides, existing MCORAM definitions are indistinguishability based and may not be readily applicable in higher cryptographic applications. This paper also filled in this gap. Our study benefits the applications of MCORAM for building higher cryptographic primitives and enriches our understanding of homomorphic secret sharing. Application-wise, our MCORAM is especially useful for private anonymous data access in an outsourced setting.