Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.

Slides:



Advertisements
Similar presentations
Planar point location -- example
Advertisements

Oblivious Branching Program Evaluation
AVL Trees1 Part-F2 AVL Trees v z. AVL Trees2 AVL Tree Definition (§ 9.2) AVL trees are balanced. An AVL Tree is a binary search tree such that.
Kai-Min Chung (Academia Sinica) joint work with Zhenming Liu (Princeton) and Rafael Pass (Cornell NY Tech)
1 abstract containers hierarchical (1 to many) graph (many to many) first ith last sequence/linear (1 to 1) set.
CHAPTER 5 PRIORITY QUEUES (HEAPS) §1 ADT Model Objects: A finite ordered list with zero or more elements. Operations:  PriorityQueue Initialize( int.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.
CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware.
FALL 2006CENG 351 Data Management and File Structures1 External Sorting.
Review for Test 2 i206 Fall 2010 John Chuang. 2 Topics  Operating System and Memory Hierarchy  Algorithm analysis and Big-O Notation  Data structures.
Course Review COMP171 Spring Hashing / Slide 2 Elementary Data Structures * Linked lists n Types: singular, doubly, circular n Operations: insert,
Nick Harvey & Kevin Zatloukal
CS 206 Introduction to Computer Science II 04 / 29 / 2009 Instructor: Michael Eckmann.
Priority Queues. Priority queue A stack is first in, last out A queue is first in, first out A priority queue is least-first-out –The “smallest” element.
CS 206 Introduction to Computer Science II 12 / 10 / 2008 Instructor: Michael Eckmann.
1 abstract containers hierarchical (1 to many) graph (many to many) first ith last sequence/linear (1 to 1) set.
Tirgul 4 Order Statistics Heaps minimum/maximum Selection Overview
Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park.
ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi
1 Hash Tables  a hash table is an array of size Tsize  has index positions 0.. Tsize-1  two types of hash tables  open hash table  array element type.
ObliVM: A Programming Framework for Secure Computation
ObliVM: A Programming Framework for Secure Computation
GraphSC: Parallel Secure Computation Made Easy Kartik Nayak With Xiao Shaun Wang, Stratis Ioannidis, Udi Weinsberg, Nina Taft, Elaine Shi 1.
Merge Sort. What Is Sorting? To arrange a collection of items in some specified order. Numerical order Lexicographical order Input: sequence of numbers.
The Binary Heap. Binary Heap Looks similar to a binary search tree BUT all the values stored in the subtree rooted at a node are greater than or equal.
Computer Algorithms Submitted by: Rishi Jethwa Suvarna Angal.
DATA STRUCTURE & ALGORITHMS (BCS 1223) NURUL HASLINDA NGAH SEMESTER /2014.
Outline Binary Trees Binary Search Tree Treaps. Binary Trees The empty set (null) is a binary tree A single node is a binary tree A node has a left child.
CSE221/ICT221 Analysis and Design of Algorithms CSE221/ICT221 Analysis and Design of Algorithms Analysis of Algorithm using Tree Data Structure Asst.Prof.
Data Structures Types of Data Structure Data Structure Operations Examples Choosing Data Structures Data Structures in Alice.
CSC 213 – Large Scale Programming Lecture 18: Zen & the Art of O (log n ) Search.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
Heaps and basic data structures David Kauchak cs161 Summer 2009.
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
Onion ORAM: A Constant Bandwidth Blowup ORAM
Mergeable Heaps David Kauchak cs302 Spring Admin Homework 7?
CS 241 Discussion Section (12/1/2011). Tradeoffs When do you: – Expand Increase total memory usage – Split Make smaller chunks (avoid internal fragmentation)
BITS Pilani Pilani Campus Data Structure and Algorithms Design Dr. Maheswari Karthikeyan Lecture1.
Course: Programming II - Abstract Data Types HeapsSlide Number 1 The ADT Heap So far we have seen the following sorting types : 1) Linked List sort by.
Secure Computation Pragmatics Yan Huang Indiana University May 10, 2016.
Navigation Piles with Applications to Sorting, Priority Queues, and Priority Deques Jyrki Katajainen and Fabio Vitale Department of Computing, University.
CSC317 Selection problem q p r Randomized‐Select(A,p,r,i)
Planning & System installation
Lecture 7 Queues Stacks Trees.
Top 50 Data Structures Interview Questions
Oblivious Parallel RAM: Improved Efficiency and Generic Constructions
OblivP2P: An Oblivious Peer-to-Peer Content Sharing System
DATA STRUCTURES AND OBJECT ORIENTED PROGRAMMING IN C++
OblivP2P: An Oblivious Peer-to-Peer Content Sharing System
Hashing Exercises.
13 Text Processing Hongfei Yan June 1, 2016.
Oblivious RAM: A Dissection and Experimental Evaluation
Cse 373 April 26th – Exam Review.
Map interface Empty() - return true if the map is empty; else return false Size() - return the number of elements in the map Find(key) - if there is an.
original list {67, 33,49, 21, 25, 94} pass { } {67 94}
Verifiable Oblivious Storage
Fundamentals of Python: From First Programs Through Data Structures
Priority Queues.
CS7380: Privacy Aware Computing
Priority Queues.
Priority Queues.
University of Maryland
Fundamentals of Python: From First Programs Through Data Structures
Priority Queues.
Priority Queues & Heaps
OPIM 915 Fall 2010 Data Structures 23-38,
Lecture 21 Amortized Analysis
Path Oram An Extremely Simple Oblivious RAM Protocol
Heaps Chapter 6 Section 6.9.
Presentation transcript:

Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1

s Photos Videos Financial data Medical records Genome data …… Sensitive Data in the Cloud Encrypt your data! 2

Genome data Personalized medication 3

Genome data Kidney problem 4

Access patterns leak sensitive information 5

Oblivious RAM is a cryptographic primitive for provably obfuscating access patterns to data. Hierarchical ORAMs [Goldreich’87] [GO’96] [KLO ’12] Tree-based ORAM [SCSL’11] [Path ORAM’13] 6

How do ORAMs obfuscate access patterns to data? Intuition: 1. Move blocks around 2. For every single access to memory block, access many blocks. 7

Path ORAM achieves O(log 2 N) blowup for small blocks [SDSCFRYD’13] N = 2 30 (1 Giga) c = 8 N: Number of memory blocks, c: constant for Path ORAM c log 2 N = 7200 Access about 7200 memory blocks per block 8 i.Schemes with better asymptotics [KLO’12] ii.Path ORAM with larger block size performs better

Can we do better for limited access patterns? Can we do better? 9

computeFrequency(arr[]): For each x in arr: freq := mem[x] mem[x] := freq + 1 … … 9 … … … 2 … … … … 10 … Access Pattern Graph for a RAM program arr[] Blowup: O(log 2 N / log log N) [KLO’12] mem[]

11 Some real world programs may have limited access patterns due to: 1. Inherent structure in the data or 2. Locality of accesses

12 Bounded-degree trees Trees, Stack, Queue, Heap Blowup: O(log N) Access pattern graphs with low doubling dimensions Linked list, Deque, 2-dim Grid Blowup: O(12 d log 2-1/d N) d=1: O(log N) d=2: O(log 1.5 N) (d: doubling dim) ORAM: O(log 2 N / log log N) [KLO’12]

Access Pattern Graph for a Stack push(stack, value) value := pop(stack)

search(x, root): while(true): if x = root.data return root else if x < root.data root := root.left else root := root.right Access Pattern Graph for a Binary Search Tree 14

For structures with tree-like access patterns, we achieve a blowup of O(log N) Oblivious RAM achieves O(log 2 N/log log N) [KLO’12] 15

Access Pattern Graph on a Grid-like Structure After k accesses, the farthest you can go is k hops away Accesses show “locality” 16

For the grid structure, we achieve a blowup of O(log 1.5 N) Oblivious RAM achieves O(log 2 N/log log N) 17

More Data Structures that Exhibit Locality Linked List Deque 18

For linked list and deque, we achieve a blowup of O(log N) For graphs with low doubling dimensions, we achieve a blowup of O(12 d log 2-1/d N) d: doubling dimension Oblivious RAM achieves O(log 2 N/log log N) 19

Bounded degree trees Pointer-based technique Access pattern graphs with low doubling dimensions Locality-based technique How do we reduce the blowup? Tree, Stack, Queue, Heap Linked list, Deque, 2-dim Grid 20 Blowup: O(log N) Blowup: O(12 d log 2-1/d N)

Position-based ORAM 21 l x Position map Server Client ORAM l Read(x, l ) ReadAndRemove() Add()

r Position-based ORAM 22 r x Position map Server Client Position tag of a block changes after every access ORAM Read(x, l ) Requires accessing O(log N) blocks per access

O(1) Recursion for Tree ORAM Server Client Position based ORAM... Position Map 1 - PM1 (size: N/c) Position Map 2 Position based ORAM for PM1 O (log N) 23 If position map 1 had constant size memory, we do not need recursion. Hence, saving a factor of O(log N). For a tree, we only need to store the position tag for the root.

Pointer-based Technique for Bounded Degree Trees IDData PosPosition map for children AB R Storing position tags of children nodes is an added responsibility. We use an O(log N) cache to solve this problem C 24

A Bounded-degree Tree Operation Read nodes with keys 5, 6, 7 and store them in cache Perform all modifications in cache Update position tags for all nodes Write back Pad with dummy accesses For bounded-degree trees, we achieve a blowup of O(log N). We save O(log N) by avoiding recursion. Parent nodes store position tags of children. 25

Locality-based Technique - Intuition Key Idea: Path ORAM achieves O(log N) overhead for block size ≥ O(log 2 N) bits Can we leverage this to group smaller data nodes into larger blocks? 26

Locality-based Technique Group smaller nodes to form a large block e.g. log N = 25 Block size: O(log 2 N) bits Download block containing (0,0) and neighboring blocks (O(log 3 N) bits) Can be generalized for graphs with low doubling dimensions 1 ORAM block access = log 0.5 N data node accesses of size O(log N) 27 Blowup = O(log 1.5 N)

Oblivious Data Structure: Security insert(root, 10) delete(root, 7) search(root, 2) Security requirement: 1.Do not reveal operands 2.Do not reveal the operation performed Oblivious RAM cannot be directly used. 28

Related Work Efficient, Oblivious Data Structures for MPC [KS’14] Design oblivious priority queue Secure Data Structures based on Multiparty Computation [T’11] Design oblivious priority queue but reveals the type of operation performed Data-oblivious Data Structures [MZ’14] Design oblivious stack, queue and priority queue 29

Application – Oblivious Dynamic Memory Allocation Do not reveal: Amount of memory allocated Location Use a segment tree Each operation requires accessing O(log 3 N) bits 30

Evaluation – Data Structures – Oblivious map Bandwidth blowup Client storage 31 Speedup: 16x for N=2 30

Evaluation – Data Structures - Deque Bandwidth blowup 32 Speedup: 9x for N=2 30

33 Data transferred for oblivious dynamic memory allocation Encryptions for oblivious map on secure computation Bandwidth blowup for random walk on a 2-dim grid Data transmitted for oblivious map on SC Speedup: 2x for N=2 30 Speedup: 9x for N=2 20 Speedup: 1000x for N=2 30 Speedup: 10x for N=2 30

Conclusion Oblivious RAMs can provably hide data access patterns but have a high bandwidth blowup We design oblivious data structures that reduce the bandwidth blowup for limited access patterns For bounded-degree trees, we achieve a blowup of O(log N) For graphs with low doubling dimensions, we achieve a blowup of O(12 d log 2-1/d N) 34

35 Emil Stefanov ( )

Open source implementation on a garbled circuit backend coming soon Stack / Queue Map (AVL tree) Heap Deque Doubly linked list Thank You! 36