CS7380: Privacy Aware Computing Oblivious RAM 1

Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware key to protect the validity of the software; hardware key cannot be duplicated Still the memory access between the HW and SW components can leak information  Attacker can deceive or skip the checking with the HW component

Oblivious RAM definition  How to protect from observing memory access pattern? Memory access is probabilistic The probabilistic distribution is independent of the input

First solution: the square-root algorithm 1.For each accesses, randomly permute the first m+ memory 2.For accessing a word, check the sheltered words first. If it is there, we access one of the dummy words 2. If it is not there, find the permuted location  (i). t steps of original RAM access can be simulated with t+sqrt(m) steps ORAM

Key operation  Oblivious random permutation Random mapping f: {1,2,..,n} -> {1,2,..,n logn }, so that (i)=k if f(i) is the k- smallest in f(1)..f(n) Using Batcher’s Sorting Network to sort permuted tags f(i) – the sequence of access if fixed, independent of input  binary search over the sorted tags f(i) to find (i)

Cost analysis  Per access cost :

The hierarchical algorithm  Each memory cell is modeled as (Vi, Xi) Vi is the location, Xi is the value  Basic idea Consider the shelter memory as a buffer; extend it to multiple levels of buffers Use oblivious hash function

Hierarchical scheme

Setting  each level i has 4 i buckets  Each bucket has log t items, where t is the total number of accesses by the current program  Total number of levels N = 1+ ceil(log 4 t)  Each level has a randomly selected hash function

 Initially Load program to the N level, which has 4t buckets  For each level If (V, X) is already found, randomly pick a bucket to access Otherwise, check the bucket h_i(V)  Put (V, X) to the 1 st level (may cause overflowing to the lower levels). If the first i levels are full, move all 1 to i levels to i+1 levels and empty the first i levels

 Reading Check the bucket h_i(V) from each level i Only one real match Remaining are dummy entries Client Server real dummy

 Writing Chose a new hash for level i+1, Shuffle consecutively filled levels. Write into next unfilled level. Clear the source levels Server (before) Server (after) Client shuffle values

Cost analysis  time cost: Each level cost O(log t), total log t levels Cost per access: O((log t) 2 ) Hashing cost: O(t(log t) 3 )  Storage cost (t log t)

Improved schemes  Paper: oblivious ram revisited  Improvement Storage O(n) Time O((log n) 2 ) In context of cloud computing  Key idea Using Cuckoo hashing  Mapping n items to 2(1+e)n bins and at most a signle item is mapped into a bin  Reduce storage to O(n) Randomized shell sort

Williams and Sion solution  Usable PIR. In NDSS,  Use O(sqrt(n)) secure client side memory and oblivious merge sort to improve the performance to O((log n) 2 )  Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage. In ACM CCS,2008 Use Bloom Filter to further improve the performance to O(logn*loglog n)

A number of methods Pinkas and Reinman

Remaining challenges  Storage cost  Reshuffling  Client-server interactions

Most recent development  ObliviousRam/ ObliviousRam/  Oblivious storage