Alibi: A Flaw in Cuckoo-Hashing Based Hierarchical ORAM Schemes and a Solution

Abstract

There once was a table of hashes

That held extra items in stashes

It all seemed like bliss

But things went amiss

When the stashes were stored in the caches

The first Oblivious RAM protocols introduced the “hierarchical solution,” (STOC ’90) where the server stores a series of hash tables of geometrically increasing capacities. Each ORAM query would read a small number of locations from each level of the hierarchy, and each level of the hierarchy would be reshuffled and rebuilt at geometrically increasing intervals to ensure that no single query was ever repeated twice at the same level. This yielded an ORAM protocol with polylogarithmic overhead.

Future works extended and improved the hierarchical solution, replacing traditional hashing with cuckoo hashing (ICALP ’11) and cuckoo hashing with a combined stash (Goodrich et al. SODA ’12). In this work, we identify a subtle flaw in the protocol of Goodrich et al. (SODA ’12) that uses cuckoo hashing with a stash in the hierarchical ORAM solution.

We give a concrete distinguishing attack against this type of hierarchical ORAM that uses cuckoo hashing with a combined stash. This security flaw has propagated to at least 5 subsequent hierarchical ORAM protocols, including the recent optimal ORAM scheme, OptORAMa (Eurocrypt ’20).

In addition to our attack, we identify a simple fix that does not increase the asymptotic complexity.

We note, however, that our attack only affects more recent hierarchical ORAMs, but does not affect the early protocols that predate the use of cuckoo hashing, or other types of ORAM solutions (e.g. Path ORAM or Circuit ORAM).

Appendices

Supplementary Material

A Distinguishing Distributions

In this section, we review a basic fact that if two distributions are statistically different, and supported on polynomial-sized sets, then they are polynomial-time distinguishable.

Lemma 7

Let \(\left\{ X_n \right\} \), \(\left\{ Y_n \right\} \) denote two sequences of distributions supported on polynomial-sized sets, i.e., there is a constant c, such that \(\max ( |X_n|, |Y_n| ) < n^c\). In addition, assume that \(X_n\) and \(Y_n\) are efficiently samplable.

Then if \(\varDelta ( X_n, Y_n )\) is non-negligible, the distributions \(\left\{ X_n \right\} \) and \(\left\{ Y_n \right\} \) are polynomial-time distinguishable.

Proof

Consider the following maximum likelihood distinguisher, D. Let \(W = {\text {supp}}(X_n) \cup {\text {supp}}(Y_n)\), and \(m = |W|\). Define

$$\begin{aligned} p_z&{\mathop {=}\limits ^{\text {def}}}\Pr \left[ X_n = z \right] \\ q_z&{\mathop {=}\limits ^{\text {def}}}\Pr \left[ Y_n = z \right] \end{aligned}$$

Fix \(t = {\text {poly}}(n)\).

Recall that if \(W = X_n \cup Y_n\),

$$\begin{aligned} \sum _{w \in W} \max (p_w,q_w)&= \frac{1}{2} \sum _{w \in W} \left[ \left[ \max (p_w,q_w) + \min (p_w,q_w) \right] + \left[ \max (p_w,q_w) - \min (p_w,q_w) \right] \right] \\&= \frac{1}{2} \left[ 2 + \sum _{w \in W} \left[ \max (p_w,q_w) - \min (p_w,q_w) \right] \right] \\&= \frac{1}{2} \left[ 2 + 2 \varDelta (X_n,Y_n) \right] \\&= 1 + \varDelta (X_n,Y_n) \\ \end{aligned}$$

First, D will estimate the frequency of elements in both \(X_n\) and \(Y_n\) by sampling. First D will draw tm samples from \(X_n\), let \(X_{\text {sampled}}\) denote the multiset corresponding to these samples. Similarly D will draw tm samples from \(Y_n\). Let \(Y_{\text {sampled}}\) be the multiset corresponding to these samples.

Then D defines

$$\begin{aligned} \tilde{p}_w&{\mathop {=}\limits ^{\text {def}}}\frac{ \text{ number } \text{ of } \text{ times } \text{ w } \text{ occurred } \text{ in } X_{\text {sampled}} }{tm} \\ \tilde{q}_w&{\mathop {=}\limits ^{\text {def}}}\frac{ \text{ number } \text{ of } \text{ times } \text{ w } \text{ occurred } \text{ in } Y_{\text {sampled}} }{tm} \end{aligned}$$

Finally, given a sample z from a distribution \(Z \in \left\{ X_n,Y_n \right\} \), the adversary will guess

$$ A(z) = \left\{ \begin{array}{l} \text{ X } \text{ if } \tilde{p}_z \ge \tilde{q}_z \\ \text{ Y } \text{ if } \tilde{p}_z < \tilde{q}_z\text{. } \end{array} \right. $$

A Hoeffding bound shows that

$$ \Pr \left[ \left| \tilde{p}_z - p_z \right| > \delta \right] < 2e^{- 2mt \delta ^2} $$

and similarly

$$ \Pr \left[ \left| \tilde{q}_z - q_z \right| > \delta \right] < 2e^{- 2mt \delta ^2} $$

Fix \(\delta > 0\), and define

Now, notice that

$$\begin{aligned} \max (p_z,q_z) - 2\delta < \min (p_z,q_z) \qquad \text{ for } \text{ all } z \in B . \end{aligned}$$

(1)

The Hoeffding bounds give

$$\begin{aligned} \Pr \left[ \max ( p_z, q_z ) = \max \left( \tilde{p}_z, \tilde{q}_z \right) \right] > 1 - 2e^{-2mt\delta ^2} \qquad \text{ for } z \in G \end{aligned}$$

(2)

Let \(\epsilon = \max _z \left( |\Pr (X_n = z) - \Pr (Y_n=z)| \right) \). Thus \(\epsilon \ge \frac{\varDelta (X_n,Y_n)}{m}\), which is non-negligible.

$$\begin{aligned} \Pr&\left[ \text{ A } \text{ is } \text{ correct } \right] \\&= \frac{1}{2} \left[ \sum _{z \in Z} \Pr \left[ \max \left( \tilde{p}_z, \tilde{q}_z \right) = \max \left( p_z, q_z \right) \right] \max \left( p_z,q_z \right) + \sum _{z \in Z} \Pr \left[ \max \left( \tilde{p}_z, \tilde{q}_z \right) \ne \max \left( p_z, q_z \right) \right] \min \left( p_z, q_z \right) \right] \\&=\frac{1}{2} \left[ \sum _{z \in Z} \Pr \left[ \max \left( \tilde{p}_z, \tilde{q}_z \right) = \max \left( p_z, q_z \right) \right] \max \left( p_z,q_z \right) + \sum _{z \in B} \Pr \left[ \max \left( \tilde{p}_z, \tilde{q}_z \right) \ne \max \left( p_z, q_z \right) \right] \min \left( p_z, q_z \right) \right] \\&\ge \frac{1}{2} \left[ \sum _{z \in G} \Pr \left[ \max \left( \tilde{p}_z, \tilde{q}_z \right) = \max \left( p_z, q_z \right) \right] \max \left( p_z,q_z \right) + \sum _{z \in B} \left[ \max \left( p_z, q_z \right) -2 \delta \right] \right] \\&\ge \frac{1}{2} \left[ \left( 1 - 2e^{-2mt\delta ^2} \right) \sum _{z \in Z} \max \left( p_z,q_z \right) - 2m\delta \right] \\&= \frac{1}{2} \left[ \left( 1 - 2e^{-2mt\delta ^2} \right) \left[ 1 + \varDelta (X_n,Y_n) \right] - 2m\delta \right] \\&= \left( 1 - 2e^{-2mt\delta ^2} \right) \left[ \frac{1}{2} + \frac{1}{2}\varDelta (X_n,Y_n) \right] - m\delta \\ \end{aligned}$$

Which is a non-negligible advantage for sufficiently large t and sufficiently small \(\delta \).