research-article

Onion Ring ORAM: Efficient Constant Bandwidth Oblivious RAM from (Leveled) TFHE

Authors:
Hao Chen

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Ilaria Chillotti

KU Leuven, Leuven, Belgium

KU Leuven, Leuven, Belgium
View Profile

,
Ling Ren

University of Illinois at Urbana-Champaign, Urbana-Champaign, IL, USA

University of Illinois at Urbana-Champaign, Urbana-Champaign, IL, USA
View Profile

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2019Pages 345–360https://doi.org/10.1145/3319535.3354226

Published:06 November 2019Publication History

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 345–360

ABSTRACT

Oblivious RAM (ORAM) is a cryptographic primitive that allows a client to hide access pattern to its data encrypted and stored at a remote server. Traditionally, ORAM algorithms assume the server acts purely as a storage device. Under this assumption, ORAM has at least log(N) bandwidth blowup for N data entries. After three decades of improvements, ORAM algorithms have reached the optimal logarithmic bandwidth blowup. Nonetheless, in many practical use-cases a constant bandwidth overhead is desirable. To this purpose, Devadas et al. (TCC 2016) formalized the server computation model for ORAM and proposed Onion ORAM which relies on homomorphic computation to achieve constant worst-case bandwidth blowup. This line of work is generally believed to be purely theoretical, due to the large overheads of homomorphic computation. In this paper, we present Onion Ring ORAM, the first efficient constant bandwidth ORAM scheme in the single server model, based on the Onion ORAM construction and the leveled version of the TFHE scheme by Chillotti et al.. We propose a series of improvements, most notably including a more efficient homomorphic permutation protocol. We implement Onion Ring ORAM and show that it can outperform state-of-the-art logarithmic-bandwidth ORAM like Path ORAMs and Ring ORAM when the network throughput is limited. Under one setting, our construction reduces monetary cost per access by 40% and end-to-end latency by 35% over Ring ORAM.

Supplemental Material

p345-chillotti.webm

webm

136.3 MB

Download

References

Ittai Abraham, Christopher Fletcher, Kartik Nayak, Benny Pinkas, and Ling Ren. 2017. Asymptotically tight bounds for composing ORAM with PIR. In IACR International Workshop on Public Key Cryptography. Springer, 91--120.Google ScholarCross Ref
Martin R. Albrecht, Rachel Player, and Sam Scott. 2015. On the concrete hardness of Learning with Errors. J. Mathematical Cryptology 9, 3 (2015), 169--203.Google ScholarCross Ref
Sebastian Angel, Hao Chen, Kim Laine, and Srinath Setty. 2018. PIR with compressed queries and amortized query processing. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 962--979.Google ScholarCross Ref
Anastasov Anton. 2016. Implementing Onion ORAM: A Constant Bandwidth ORAM using AHE. https://github.com/aanastasov/onion-oram/blob/master/doc/ report.pdf. (2016).Google Scholar
Daniel Apon, Jonathan Katz, Elaine Shi, and Aishwarya Thiruvengadam. 2014. Verifiable oblivious storage. In InternationalWorkshop on Public Key Cryptography. Springer, 131--148.Google Scholar
Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, and Elaine Shi. 2018. OptORAMa: Optimal oblivious RAM. Technical Report. Cryptology ePrint Archive, Report 2018/892.Google Scholar
Rajeev Balasubramonian, Jichuan Chang, Troy Manning, Jaime H Moreno, Richard Murphy, Ravi Nair, and Steven Swanson. 2014. Near-data processing: Insights from a MICRO-46 workshop. IEEE Micro 34, 4 (2014), 36--42.Google ScholarCross Ref
Bruno Beauquier and E Darrot. 2002. On arbitrary size Waksman networks and their vulnerability. Parallel Processing Letters 12, 03n04 (2002), 287--296.Google ScholarCross Ref
Vincent Bindschaedler, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, and Yan Huang. 2015. Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 837--849.Google ScholarDigital Library
Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) fully homomorphic encryption without bootstrapping. In Innovations in Theoretical Computer Science 2012, Cambridge, MA, USA, January 8--10, 2012. 309--325. http: //doi.acm.org/10.1145/2090236.2090262Google Scholar
Zvika Brakerski and Vinod Vaikuntanathan. 2014. Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43, 2 (2014), 831--871.Google ScholarCross Ref
David Cash, Paul Grubbs, Jason Perry, and Thomas Ristenpart. 2015. Leakageabuse attacks against searchable encryption. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, 668--679.Google ScholarDigital Library
Zhao Chang, Dong Xie, and Feifei Li. 2016. Oblivious RAM: a dissection and experimental evaluation. Proceedings of the VLDB Endowment 9, 12 (2016), 1113--1124.Google ScholarDigital Library
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. 2016. Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4--8, 2016, Proceedings, Part I. 3--33. https://doi.org/10.1007/ 978--3--662--53887--6_1Google ScholarCross Ref
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. 2017. Faster Packed Homomorphic Operations and Efficient Circuit Bootstrapping for TFHE. In Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3--7, 2017, Proceedings, Part I. 377--408. https://doi.org/10.1007/ 978--3--319--70694--8_14Google ScholarCross Ref
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. 2017. TFHE: experimental-tfhe repository. (2017). https://github.com/tfhe/experimental-tfhe.Google Scholar
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. August 2016. TFHE: Fast Fully Homomorphic Encryption Library. (August 2016). https://tfhe.github.io/tfhe/.Google Scholar
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. 2018. TFHE: Fast Fully Homomorphic Encryption over the Torus. Cryptology ePrint Archive, Report 2018/421. https://eprint.iacr.org/2018/421.Google Scholar
Natacha Crooks, Matthew Burke, Ethan Cecchetti, Sitar Harel, Rachit Agarwal, and Lorenzo Alvisi. 2018. Obladi: Oblivious serializable transactions in the cloud. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI). 727--743.Google Scholar
Ivan Damgård and Mads Jurik. 2001. A generalisation, a simpli. cation and some applications of paillier's probabilistic public-key system. In International Workshop on Public Key Cryptography. Springer, 119--136.Google ScholarCross Ref
Jonathan L Dautrich Jr, Emil Stefanov, and Elaine Shi. 2014. Burst ORAM: Minimizing ORAM Response Times for Bursty Access Patterns.. In USENIX Security Symposium. USENIX Association, 749--764.Google Scholar
Srinivas Devadas, Marten van Dijk, Christopher Fletcher, Ling Ren, Elaine Shi, and Daniel Wichs. 2016. Onion ORAM: A constant bandwidth blowup oblivious RAM. In Theory of Cryptography Conference. Springer, 145--174.Google ScholarCross Ref
Christopher Fletcher, Marten van Dijk, and Srinivas Devadas. 2012. A secure processor architecture for encrypted computation on untrusted programs. In Proceedings of the seventh ACM workshop on Scalable trusted computing. ACM, 3--8.Google ScholarDigital Library
Christopher Fletcher, Ling Ren, Albert Kwon, Marten van Dijk, and Srinivas Devadas. 2015. Freecursive oram:[nearly] free recursion and integrity verification for position-based oblivious ram. In ACM SIGARCH Computer Architecture News, Vol. 43. ACM, 103--116.Google Scholar
Craig Gentry, Kenny A Goldman, Shai Halevi, Charanjit Julta, Mariana Raykova, and Daniel Wichs. 2013. Optimizing ORAM and using it efficiently for secure computation. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1--18.Google ScholarCross Ref
Craig Gentry, Shai Halevi, Charanjit Jutla, and Mariana Raykova. 2015. Private database access with HE-over-ORAM architecture. In International Conference on Applied Cryptography and Network Security. Springer, 172--191.Google ScholarCross Ref
Craig Gentry, Amit Sahai, and Brent Waters. 2013. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. IACR Cryptology ePrint Archive 2013 (2013), 340. http: //eprint.iacr.org/2013/340Google Scholar
Oded Goldreich. 1987. Towards a theory of software protection and simulation by oblivious RAMs. In Proceedings of the nineteenth annual ACM symposium on Theory of computing. ACM, 182--194.Google ScholarDigital Library
Oded Goldreich and Rafail Ostrovsky. 1996. Software protection and simulation on oblivious RAMs. Journal of the ACM (JACM) 43, 3 (1996), 431--473.Google ScholarDigital Library
Michael T Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. 2011. Oblivious RAM simulation with efficient worst-case access overhead. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop. ACM, 95--100.Google ScholarDigital Library
Shai Halevi and Victor Shoup. May 2019. HElib-An Implementation of homomorphic encryption. (May 2019). https://github.com/homenc/HElib.Google Scholar
Thang Hoang, Ceyhun D Ozkaptan, Attila A Yavuz, Jorge Guajardo, and Tam Nguyen. 2017. S3ORAM: A Computation-Efficient and Constant Client Bandwidth Blowup ORAM with Shamir Secret Sharing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 491--505.Google ScholarDigital Library
Yan Huang, David Evans, and Jonathan Katz. 2012. Private set intersection: Are garbled circuits better than custom protocols?. In NDSS.Google Scholar
Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu. 2012. Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation. In Network and Distributed System Security, Vol. 20. 12.Google Scholar
Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu. 2014. Inference attack against encrypted range queries on outsourced databases. In Proceedings of the 4th ACM conference on Data and application security and privacy. ACM, 235--246.Google ScholarDigital Library
Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2016. Generic attacks on secure outsourced databases. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1340.Google ScholarDigital Library
Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. 2012. On the (in)-security of hash-based oblivious RAM and a new balancing scheme. In Proceedings of the 23rd annual ACM-SIAM symposium on Discrete Algorithms. Society for Industrial and Applied Mathematics, 143--156.Google ScholarCross Ref
Eyal Kushilevitz and Tamer Mour. 2018. Sub-logarithmic distributed oblivious RAM with small block size. arXiv preprint arXiv:1802.05145 (2018).Google Scholar
Kasper Green Larsen and Jesper Buus Nielsen. 2018. Yes, there is an oblivious RAM lower bound!. In Annual International Cryptology Conference. Springer, 523--542.Google ScholarCross Ref
Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. 2015. Ghostrider: A hardware-software system for memory trace oblivious computation. ACM SIGPLAN Notices 50, 4 (2015), 87--101.Google ScholarDigital Library
Steve Lu and Rafail Ostrovsky. 2013. Distributed oblivious RAM for secure two-party computation. In Theory of Cryptography. Springer, 377--396.Google Scholar
Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On ideal lattices and learning with errors over rings. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1--23.Google ScholarDigital Library
Martin Maas, Eric Love, Emil Stefanov, Mohit Tiwari, Elaine Shi, Krste Asanovic, John Kubiatowicz, and Dawn Song. 2013. Phantom: Practical oblivious computation in a secure processor. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 311--324.Google ScholarDigital Library
Travis Mayberry, Erik-Oliver Blass, and Agnes Hui Chan. 2014. Efficient Private File Retrieval by Combining ORAM and PIR. In Network and Distributed System Security.Google Scholar
Tarik Moataz, Travis Mayberry, and Erik-Oliver Blass. 2015. Constant communication ORAM with small blocksize. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 862--873.Google ScholarDigital Library
Kartik Nayak, Christopher Fletcher, Ling Ren, Nishanth Chandran, Satya Lokam, Elaine Shi, and Vipul Goyal. 2017. HOP: Hardware makes obfuscation practical. In Network and Distributed System Security.Google Scholar
Rafail Ostrovsky and Victor Shoup. 1997. Private information storage. In Proceedings of the twenty-ninth annual ACM symposium on Theory of computing. ACM, 294--303.Google Scholar
Sarvar Patel, Giuseppe Persiano, Mariana Raykova, and Kevin Yeo. 2018. PanORAMa: Oblivious RAM with logarithmic overhead. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS). IEEE, 871--882.Google ScholarCross Ref
Chris Peikert, Oded Regev, and Noah Stephens-Davidowitz. 2017. Pseudorandomness of ring-LWE for any ring and modulus. In Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing. ACM, 461--473.Google ScholarDigital Library
Ashay Rane, Calvin Lin, and Mohit Tiwari. 2015. Raccoon: Closing Digital Side-Channels through Obfuscated Execution.. In USENIX Security Symposium. 431--446.Google Scholar
Oded Regev. 2005. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22--24, 2005. 84--93. http://doi.acm.org/10. 1145/1060590.1060603Google ScholarDigital Library
Ling Ren, Christopher Fletcher, Albert Kwon, Emil Stefanov, Elaine Shi, Marten Van Dijk, and Srinivas Devadas. 2015. Constants Count: Practical Improvements to Oblivious RAM.. In USENIX Security Symposium. 415--430.Google ScholarDigital Library
Ling Ren, Christopher Fletcher, Albert Kwon, Marten van Dijk, and Srinivas Devadas. 2018. Design and implementation of the ascend secure processor. IEEE Transactions on Dependable and Secure Computing (2018).Google Scholar
Cetin Sahin, Victor Zakhary, Amr El Abbadi, Huijia Lin, and Stefano Tessaro. 2016. Taostore: Overcoming asynchronicity in oblivious data storage. In IEEE Symposium on Security and Privacy. IEEE, 198--217.Google ScholarCross Ref
Sajin Sasy, Sergey Gorbunov, and Christopher Fletcher. 2018. ZeroTrace: Oblivious memory primitives from Intel SGX. In Network and Distributed System Security.Google Scholar
Elaine Shi, T-H Hubert Chan, Emil Stefanov, and Mingfei Li. 2011. Oblivious RAM with O(log3 N) worst-case cost. In International Conference on The Theory and Application of Cryptology and Information Security. Springer, 197--214.Google ScholarDigital Library
Emil Stefanov, Marten Van Dijk, Elaine Shi, T.-H. Hubert Chan, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. 2018. Path ORAM: An Extremely Simple Oblivious RAM Protocol. J. ACM 65, 4 (2018), 18:1--18:26.Google ScholarDigital Library
Emil Stefanov and Elaine Shi. 2013. Multi-cloud oblivious storage. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 247--258.Google ScholarDigital Library
Emil Stefanov and Elaine Shi. 2013. Oblivistore: High performance oblivious cloud storage. In 2013 IEEE Symposium on Security and Privacy. IEEE, 253--267.Google ScholarDigital Library
Emil Stefanov, Elaine Shi, and Dawn Song. 2012. Towards practical oblivious RAM. In Network and Distributed System Security.Google Scholar
Emil Stefanov, Marten Van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. 2013. Path ORAM: an extremely simple oblivious RAM protocol. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 299--310.Google ScholarDigital Library
Damien Stehlé, Ron Steinfeld, Keisuke Tanaka, and Keita Xagawa. 2009. Efficient Public Key Encryption Based on Ideal Lattices. In Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6--10, 2009. Proceedings. 617--635. https://doi.org/10.1007/978--3--642--10366--7_36Google Scholar
Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. 2017. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2421--2434.Google ScholarDigital Library
Xiao Wang, Hubert Chan, and Elaine Shi. 2015. Circuit oram: On tightness of the goldreich-ostrovsky lower bound. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 850--861.Google ScholarDigital Library
Peter Williams, Radu Sion, and Bogdan Carbunar. 2008. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 139--148.Google ScholarDigital Library
Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In IEEE Symposium on Security and Privacy. IEEE, 640--656.Google ScholarDigital Library
Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou. 2016. All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption. In USENIX Security Symposium. 707--720.Google Scholar

Index Terms

Onion Ring ORAM: Efficient Constant Bandwidth Oblivious RAM from (Leveled) TFHE
1. Security and privacy
  1. Cryptography

Recommendations

Path ORAM: An Extremely Simple Oblivious RAM Protocol
Distributed Computing, Cryptography, Distributed Computing, Cryptography, Coding Theory, Automata Theory, Complexity Theory, Programming Languages, Algorithms, Invited Paper Foreword and Databases

We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme known to date with small client storage. We formally prove that Path ORAM ...
Read More
Path ORAM: an extremely simple oblivious RAM protocol
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme for small client storage known to date. We formally prove that Path ORAM ...
Read More
Three-Party ORAM for Secure Computation
Proceedings, Part I, of the 21st International Conference on Advances in Cryptology -- ASIACRYPT 2015 - Volume 9452

An Oblivious RAM ORAM protocol [13] allows a client to retrieve $${\mathrm {N}}$$-th element of a data array $${\mathsf {D}}$$ stored by the server s.t. the server learns no information about $${\mathrm {N}}$$. A related notion is that of an ORAM for ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
November 2019
2755 pages
ISBN:9781450367479
DOI:10.1145/3319535
General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 November 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
homomorphic encryption
oblivious RAM
permutation network
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '19 Paper Acceptance Rate149of934submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 816
  Total Downloads
- Downloads (Last 12 months)111
- Downloads (Last 6 weeks)16
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Onion Ring ORAM: Efficient Constant Bandwidth Oblivious RAM from (Leveled) TFHE

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Path ORAM: An Extremely Simple Oblivious RAM Protocol

Path ORAM: an extremely simple oblivious RAM protocol

Three-Party ORAM for Secure Computation