Abstract
We present the first Oblivious RAM (ORAM) construction that for N memory blocks supports accesses with worst-case \(O(\log N)\) overhead for any block size \(\Omega (\log N)\) while requiring a client memory of only a constant number of memory blocks. We rely on the existence of one-way functions and guarantee computational security. Our result closes a long line of research on fundamental feasibility results for ORAM constructions as logarithmic overhead is necessary. The previous best logarithmic overhead construction only guarantees it in an amortized sense, i.e., logarithmic overhead is achieved only for long enough access sequences, where some of the individual accesses incur \(\Theta (N)\) overhead. The previously best ORAM in terms of worst-case overhead achieves \(O(\log ^2 N/\log \log N)\) overhead. Technically, we design a novel de-amortization framework for modern ORAM constructions that use the “shuffled inputs” assumption. Our framework significantly departs from all previous de-amortization frameworks, originating from Ostrovsky and Shoup (STOC’97), that seem to be fundamentally too weak to be applied on modern ORAM constructions.
Similar content being viewed by others
Notes
The lower bounds of [27, 29] only apply to “online” ORAMs, which support operations that come in an online fashion, one by one. These lower bounds even apply to computationally secure constructions. There is a logarithmic lower bound for “offline” ORAMs, which see the whole set of operations ahead of time due to Goldreich and Ostrovsky [20], but it only applies to statistically secure constructions in the balls-and-bins model (see Boyle and Naor [6]).
The actual number of real blocks may be smaller if the requests keep asking for the same block or a small set of blocks. The maximum load is achieved when the ORAM requests cycle through addresses \(1, 2, \ldots , N\) in a round-robin fashion.
Following the convention in cryptography, we use the hybrid models only in security proofs, and thus here we are generous with polynomial time (e.g., copying the relevant data).
Inherited from [2], this lemma is aimed to solve a subproblem of size n, while the memory size is \(\Omega (\log N)\) for the main problem size N, and thus we will need a weak requirement \(\log N \ge \log ^3 \log {\lambda }\) later.
The overflow pile is just a subset of arbitrary elements—this is a beautiful trick originated in PanORAMa, see also OptORAMa [2, Section 2.1.2].
In Theorem 3.7, \(\textsf {sk} \) and \({\textsf {OBin} }_1,\ldots ,\textsf {OBin} _B\) are concatenated into an array \(\textsf {OBins} \).
One could easily modify our algorithm to work more generally for a list \(X_2\) of size m which has at least n dummies and result with an array of size m. We chose to be concrete for simplicity.
This is important in order to avoid the attack of Falk, Noble, and Ostrovsky [14].
The tasks (and pointers \((\textsf {A} _i,\textsf {B} _i)\) as well) will be executed in a pre-determined schedule, so given the counter \(\textsf {ctr} \) one can totally determine the prodecures (and pointers) to be performed. Here we use them for readability.
Note that this implies that we run \({\textsf {poly} } \log \log N\) work per each access for the first level.
References
Miklós Ajtai, János Komlós, and Endre Szemerédi. An \(O(n \log n)\) sorting network. In STOC, pages 1–9, 1983.
Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, Enoch Peserico, and Elaine Shi. OptORAMa: optimal oblivious RAM. In EUROCRYPT, pages 403–432, 2020.
Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Enoch Peserico, and Elaine Shi. Optimal oblivious parallel RAM. IACR ePrint Arch., 2020:1292, 2020.
Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, and Elaine Shi. Oblivious RAM with worst-case logarithmic overhead. In Advances in Cryptology - CRYPTO, pages 610–640, 2021.
Vincent Bindschaedler, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, and Yan Huang. Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In CCS, pages 837–849, 2015.
Elette Boyle and Moni Naor. Is there an oblivious RAM lower bound? In ITCS, pages 357–368, 2016.
Ran Canetti. Universally composable security. J. ACM, 67(5):28:1–28:94, 2020.
David Cash, Paul Grubbs, Jason Perry, and Thomas Ristenpart. Leakage-abuse attacks against searchable encryption. In CCS, pages 668–679, 2015.
T.-H. Hubert Chan, Yue Guo, Wei-Kai Lin, and Elaine Shi. Oblivious hashing revisited, and applications to asymptotically efficient ORAM and OPRAM. In ASIACRYPT, pages 660–690, 2017.
T.-H. Hubert Chan, Kartik Nayak, and Elaine Shi. Perfectly secure oblivious parallel RAM. In TCC, pages 636–668, 2018.
T.-H. Hubert Chan and Elaine Shi. Circuit OPRAM: unifying statistically and computationally secure orams and oprams. In TCC, pages 72–107, 2017.
Kai-Min Chung, Zhenming Liu, and Rafael Pass. Statistically-secure ORAM with \(\tilde{O}(\log ^2n)\) overhead. In ASIACRYPT, pages 62–81, 2014.
Samuel Dittmer and Rafail Ostrovsky. Oblivious tight compaction in \(O(n)\) time with smaller constant. In SCN, pages 253–274, 2020.
Brett Hemenway Falk, Daniel Noble, and Rafail Ostrovsky. Alibi: A flaw in cuckoo-hashing based hierarchical ORAM schemes and a solution. In EUROCRYPT, pages 338–369, 2021.
Christopher W Fletcher, Marten van Dijk, and Srinivas Devadas. A secure processor architecture for encrypted computation on untrusted programs. In STC, pages 3–8, 2012.
Christopher W. Fletcher, Ling Ren, Albert Kwon, Marten van Dijk, and Srinivas Devadas. Freecursive ORAM: [nearly] free recursion and integrity verification for position-based oblivious RAM. In ASPLOS, pages 103–116, 2015.
Michael L. Fredman and Dan E. Willard. Surpassing the information theoretic bound with fusion trees. J. Comput. Syst. Sci., 47(3):424–436, 1993.
Craig Gentry, Shai Halevi, Charanjit Jutla, and Mariana Raykova. Private database access with he-over-oram architecture. In CANS, pages 172–191, 2015.
Oded Goldreich. Towards a theory of software protection and simulation by oblivious rams. In STOC, pages 182–194, 1987.
Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious RAMs. J. ACM, 43(3):431–473, May 1996.
Michael T. Goodrich and Michael Mitzenmacher. Privacy-preserving access of outsourced data via oblivious RAM simulation. In ICALP, pages 576–587, 2011.
Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. Oblivious ram simulation with efficient worst-case access overhead. In CCSW, page 95-100, 2011.
Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. Privacy-preserving group data access via stateless oblivious RAM simulation. In SODA, pages 157–167, 2012.
Paul Grubbs, Richard McPherson, Muhammad Naveed, Thomas Ristenpart, and Vitaly Shmatikov. Breaking web applications built on top of encrypted data. In CCS, pages 1353–1364, 2016.
Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In NDSS, 2012.
Adam Kirsch, Michael Mitzenmacher, and Udi Wieder. More robust hashing: Cuckoo hashing with a stash. SIAM J. Comput., 39(4):1543–1561, 2009.
Ilan Komargodski and Wei-Kai Lin. A logarithmic lower bound for oblivious RAM (for all parameters). In Advances in Cryptology - CRYPTO, pages 579–609, 2021.
Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. On the (in)security of hash-based oblivious RAM and a new balancing scheme. In SODA, pages 143–156, 2012.
Kasper Green Larsen and Jesper Buus Nielsen. Yes, there is an oblivious RAM lower bound! In CRYPTO, pages 523–542, 2018.
Chang Liu, Xiao Shaun Wang, Kartik Nayak, Yan Huang, and Elaine Shi. ObliVM: A programming framework for secure computation. In S &P, pages 359–376, 2015.
Steve Lu and Rafail Ostrovsky. Distributed oblivious RAM for secure two-party computation. In TCC, pages 377–396, 2013.
Martin Maas, Eric Love, Emil Stefanov, Mohit Tiwari, Elaine Shi, Krste Asanovic, John Kubiatowicz, and Dawn Song. PHANTOM: practical oblivious computation in a secure processor. In CCS, pages 311–324, 2013.
Rafail Ostrovsky and Victor Shoup. Private information storage. In STOC, pages 294–303, 1997.
Rasmus Pagh and Flemming Friche Rodler. Cuckoo hashing. J. Algorithms, 51(2):122–144, 2004.
Sarvar Patel, Giuseppe Persiano, Mariana Raykova, and Kevin Yeo. Panorama: Oblivious RAM with logarithmic overhead. In FOCS, pages 871–882, 2018.
Ling Ren, Xiangyao Yu, Christopher W. Fletcher, Marten van Dijk, and Srinivas Devadas. Design space exploration and optimization of path oblivious RAM in secure processors. In ISCA, pages 571–582, 2013.
Elaine Shi, T.-H. Hubert Chan, Emil Stefanov, and Mingfei Li. Oblivious RAM with \(O((\log N)^3)\) worst-case cost. In ASIACRYPT, pages 197–214, 2011.
Emil Stefanov and Elaine Shi. Oblivistore: High performance oblivious cloud storage. In S &P, pages 253–267, 2013.
Emil Stefanov, Elaine Shi, and Dawn Xiaodong Song. Towards practical oblivious RAM. In NDSS, 2012.
Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher W. Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path ORAM: an extremely simple oblivious RAM protocol. In CCS, pages 299–310, 2013.
Mikkel Thorup. Randomized sorting in o(n log log n) time and linear space using addition, shift, and bit-wise boolean operations. J. Algorithms, 42(2):205–230, 2002.
Xiao Wang, T.-H. Hubert Chan, and Elaine Shi. Circuit ORAM: on tightness of the goldreich-ostrovsky lower bound. In CCS, pages 850–861, 2015.
Xiao Shaun Wang, Yan Huang, T.-H. Hubert Chan, Abhi Shelat, and Elaine Shi. SCORAM: oblivious RAM for secure computation. In CCS, pages 191–202, 2014.
Peter Williams, Radu Sion, and Alin Tomescu. PrivateFS: A parallel oblivious file system. In CCS, pages 977–988, 2012.
Samee Zahur, Xiao Shaun Wang, Mariana Raykova, Adria Gascón, Jack Doerner, David Evans, and Jonathan Katz. Revisiting square-root ORAM: efficient random access in multi-party computation. In S &P, pages 218–234, 2016.
Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou. All your queries are belong to us: The power of file-injection attacks on searchable encryption. In USENIX, pages 707–720, 2016.
Acknowledgements
This work is supported in part by a DARPA Brandeis award, a DARPA SIEVE grant, NSF grants under the award numbers CNS-1601879, 2001026, 2044679, by Packard Fellowship, a JP Morgan Award, an ONR YIP award, by the Israel Science Foundation (grants No. 2439/20 and 1774/20), by an Alon Young Faculty Fellowship, and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 891234. Ilan Komargodski is the incumbent of the Harry & Abe Sherman Senior Lectureship at the School of Computer Science and Engineering at the Hebrew University.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Serge Fehr.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work was published in the 41st Annual International Cryptology Conference (CRYPTO 2021) [4]. This is the full version.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Asharov, G., Komargodski, I., Lin, WK. et al. Oblivious RAM with Worst-Case Logarithmic Overhead. J Cryptol 36, 7 (2023). https://doi.org/10.1007/s00145-023-09447-5
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-023-09447-5