Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path Oram An Extremely Simple Oblivious RAM Protocol

Published byHarry GΓ€rtner Modified over 5 years ago

Similar presentations

Presentation on theme: "Path Oram An Extremely Simple Oblivious RAM Protocol"β€” Presentation transcript:

1 Path Oram An Extremely Simple Oblivious RAM Protocol
Aaron Chu Presentation for the course of Network Security Saturday, July 13, 2019

2 Cheat Engine

3 Access patterns leak: 80% of search queries to encrypted database!
Why it Concerns us ? Access patterns leak: 80% of search queries to encrypted database!

4 The Solution Oblivious RAM (Random Access Machine) :
The goal is to access data without revealing the access patterns. ORAM Algorithms: NaΓ―ve ORAM Square Root ORAM Path ORAM

5 What to hide? Which data is being accessed.
How old it is when it was last accessed. Whether the same data is being accessed. Whether it is sequentially accessed or randomly accessed. Whether the access is read or write.

6 What is a Good ORAM Algorithm?
Correctness: The construction is correct, i.e., it returns data consistent with the request sequence. Obliviousness: For any two request sequences 𝑦 , 𝑧 with 𝑦 = 𝑧 , we have: 𝐴( 𝑦 ) β‰ˆ 𝑐 𝐴( 𝑧 ) for anyone except the client Performance

7 The Model Client Storage Server Application Capacity: 𝑁 blocks

8 NaΓ―ve Solution For each block we do the following operations:
Server 𝑇: table of N blocks Works: - Correct - Oblivious For each block we do the following operations: Get the bock from the server. Decrypt the block. Read or write to the block if necessary. Re-encrypt the block with a different key. Write back the block to the storage system. Overhead: O(N) - Read the entire table for every access

9 Square Root Algorithm For each of NΒ½ requests: After NΒ½ requests:
N blocks NΒ½ dummy blocks NΒ½ block shelter For each of NΒ½ requests: Look for block in the shelter If not found, get block from permuted memory, put it in shelter Otherwise access the next dummy block After NΒ½ requests: Reshuffle permuted memory, obliviously update with values in shelter Permuted memory - Correct - Oblivious Overhead: O(NΒ½)

10 Data Shuffling Use a sorting network:
Permuted memory Use a sorting network: Oblivious shuffling: sort based on a PRF 𝐹 𝑠 (β‹…) Enc π‘˜ ((π‘₯, 𝐹 𝑠 (𝑖)) Enc π‘˜ ((𝑦, 𝐹 𝑠 (𝑗)) Sorted based on: 𝐹 𝑠 𝑖 < 𝐹 𝑠 (𝑗)

11 Path oram Most practical ORAM construction to date.
Highly efficiency and low overhead. Simple algorithm (16 lines of code is enough). Structure Server side: Binary Tree (It doesn’t have to be a binary tree) Client side: Position Map, Stash

12 Path oram – Server end layout
some nodes are empty nodes can contain multiple blocks bucket block N : number of blocks B: block size in bits. Z: Bucket size. L: Height of the tree L = log 𝑁 -1. Data blocks stored in nodes of the tree on server end. It’s a complete binary tree. Blocks can just be arranged as an array.

13 Path oram – Block position
7 8 3 4 5 6 1 2 Position comes from the leave sequence number. The position of the block is chosen randomly from 1 – 2^L (total number of leaves).

14 Path oram – Block position
7 8 3 4 5 6 1 2 A block must be placed on the path to its β€œposition”, if the block is at position 5 it can only be place in this path.

15 Path oram – Block Position
7 8 3 4 5 6 1 2 A block must be placed on the path to its β€œposition”, if the block is at position 1 it can only be place in this path.

16 Position map 1 2 3 4 Server Client Block No. 1 2 … … …. …. 13 14 3
3 4 1 2 14 9 3 2 1 7 4 11 13 5 10 6 Server Client Block No. 1 2 … … …. …. 13 14 3 Position

17 Stash one block Stash is a cache for blocks.
Stash is used to store blocks overflowed from the server. Stash (size is 9) one block

18 The logic Read the entire path which contains the block requested.
Update the block if necessary. Remap the block to a new position randomly. Re-encrypt the block with a different key. Writeback the whole path.

19 Example – Modify Block 7 1 2 3 4 Server Client Block No. 1 2 3 4 5 6 7
3 4 1 2 14 3 12 1 7 4 11 13 2 5 10 6 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Stash 8 9

20 Example 1 2 3 4 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13
3 4 1 2 14 3 12 1 7 4 11 13 2 5 10 6 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position 1. Lookup block’s position Stash 8 9

21 Example 1 2 3 4 2. Read the entire path Server Client Block No. 1 2 3
3 4 1 2 14 3 12 1 7 4 11 13 2 5 10 6 2. Read the entire path Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Data is decrypted and stored in the stash. Stash 8 9 1 7 13 10 6

22 Example 1 2 3 4 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13
3 4 1 2 14 3 12 1 7 4 11 13 2 5 10 6 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position 3. Client read/modify block 7. Stash 8 9 1 7 13 10 6

23 Example 1 2 3 4 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13
3 4 1 2 14 3 12 1 7 4 11 13 2 5 10 6 Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position 4. Assign a new random position. Stash 8 9 1 7 13 10 6

24 Example 1 2 3 4 The deepest bucket first. Try the upper level if full.
3 4 1 2 14 3 12 4 11 2 5 The deepest bucket first. Try the upper level if full. 5. Write path back Blocks should be pushed down as deep as possible. Blocks should be always on the path to its position. Server Try root level if full. Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Store in the stash if root is full. Stash 8 9 1 7 13 10 6

25 Example 3 4 1 2 14 3 12 4 11 2 5 Block 8, 1, 13 can end up at any buckets on the entire path. Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Stash 8 9 1 7 13 10 6

26 Example 1 2 3 4 Block 9, 7, 10, 6 can end up at these buckets. Server
3 4 1 2 14 3 12 4 11 2 5 Block 9, 7, 10, 6 can end up at these buckets. Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Stash 8 9 1 7 13 10 6

27 Example 1 2 3 4 When writing back:
3 4 1 2 14 3 12 8 13 4 11 1 7 2 5 9 6 When writing back: Client pads dummy bocks if the bucket is not full. All the blocks are re-encrypted using a randomized encryption scheme. Server Client Block No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Position Stash 10

28 Size of the postion map log 𝑁 bits are need to store the position for each block in the position map. 𝑁 log 𝑁 bits are needed in total. Position map needs to be stored on the client side. What if the position map is too large for a client to keep ?

29 Recursive Paht ORAM ORAM #1 ORAM #2 Position Map for #1 ORAM #3
Server Client Position Map

30 Overhead of Path Oram

31 Pr 𝑝 = 𝑖=1 π‘ž Pr⁑{ pos 𝑖 π‘Ž 𝑖 } = 2 βˆ’πΏ q
Why it is secure? Obliviousness: Server sees 𝐴( 𝑦 ) which is a sequence 𝑝 = pos 1 [ π‘Ž 1 ],…, pos π‘ž [ π‘Ž π‘ž ] pos 𝑖 [ π‘Ž 𝑖 ] is the position of address π‘Ž 𝑖 based on the position map, together with a sequence of encrypted paths 𝑃( pos 𝑖 π‘Ž 𝑖 ) Proof: For 𝑖<𝑗: pos 𝑗 π‘Ž 𝑗 is statistically independent of pos 𝑖 π‘Ž 𝑖 Observe that: If π‘Ž 𝑖 = π‘Ž 𝑗 : Once pos 𝑖 π‘Ž 𝑖 is revealed, it is remapped to a new random label If π‘Ž 𝑖 β‰  π‘Ž 𝑗 : positions of different addresses are independent Therefore by Bayes rule: Pr 𝑝 = 𝑖=1 π‘ž Pr⁑{ pos 𝑖 π‘Ž 𝑖 } = 2 βˆ’πΏ q

32 Stash Size When Z = 5, stash size is R. The probability that the stash overflows is : The size of the stash is independent on N. A constant number is enough to keep the possibility low enough.

33 Integrity – Merkel Tree

34 Evaluation – Stash size vs Security

35 Evaluation – Stash size vs Security

36 Evaluation – Bucket Loads

37 Evaluation – Stash size vs Blocks

38 Thank you

39 References https://www.slideshare.net/ShijieZhang2/path-oram

Download ppt "Path Oram An Extremely Simple Oblivious RAM Protocol"

Similar presentations

Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Kai-Min Chung (Academia Sinica) joint work with Zhenming Liu (Princeton) and Rafael Pass (Cornell NY Tech)

Kai-Min Chung (Academia Sinica) joint work with Zhenming Liu (Princeton) and Rafael Pass (Cornell NY Tech)
Quick Review of Apr 10 material B+-Tree File Organization –similar to B+-tree index –leaf nodes store records, not pointers to records stored in an original.

Quick Review of Apr 10 material B+-Tree File Organization –similar to B+-tree index –leaf nodes store records, not pointers to records stored in an original.
CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware.

CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware.
2010/3/81 Lecture 8 on Physical Database DBMS has a view of the database as a collection of stored records, and that view is supported by the file manager.

2010/3/81 Lecture 8 on Physical Database DBMS has a view of the database as a collection of stored records, and that view is supported by the file manager.
1 Indexing Structures for Files. 2 Basic Concepts  Indexing mechanisms used to speed up access to desired data without having to scan entire.

1 Indexing Structures for Files. 2 Basic Concepts  Indexing mechanisms used to speed up access to desired data without having to scan entire.
File Structures Dale-Marie Wilson, Ph.D.. Basic Concepts Primary storage Main memory Inappropriate for storing database Volatile Secondary storage Physical.

File Structures Dale-Marie Wilson, Ph.D.. Basic Concepts Primary storage Main memory Inappropriate for storing database Volatile Secondary storage Physical.
ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi

ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi
Indexing. Goals: Store large files Support multiple search keys Support efficient insert, delete, and range queries.

Indexing. Goals: Store large files Support multiple search keys Support efficient insert, delete, and range queries.
1 Physical Data Organization and Indexing Lecture 14.

1 Physical Data Organization and Indexing Lecture 14.
Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.

Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.
IP Address Lookup Masoud Sabaei Assistant professor

IP Address Lookup Masoud Sabaei Assistant professor
1 CPS216: Advanced Database Systems Notes 04: Operators for Data Access Shivnath Babu.

1 CPS216: Advanced Database Systems Notes 04: Operators for Data Access Shivnath Babu.
Β© 2006 Pearson Addison-Wesley. All rights reserved13 B-1 Chapter 13 (continued) Advanced Implementation of Tables.

Β© 2006 Pearson Addison-Wesley. All rights reserved13 B-1 Chapter 13 (continued) Advanced Implementation of Tables.
Introduction to DFS. Distributed File Systems A file system whose clients, servers and storage devices are dispersed among the machines of a distributed.

Introduction to DFS. Distributed File Systems A file system whose clients, servers and storage devices are dispersed among the machines of a distributed.
MA/CSSE 473 Day 28 Dynamic Programming Binomial Coefficients Warshall's algorithm Student questions?

MA/CSSE 473 Day 28 Dynamic Programming Binomial Coefficients Warshall's algorithm Student questions?
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Physical Database Design Purpose- translate the logical description of data into the technical specifications for storing and retrieving data Goal - create.

Physical Database Design Purpose- translate the logical description of data into the technical specifications for storing and retrieving data Goal - create.
Chapter 13 C Advanced Implementations of Tables – Hash Tables.

Chapter 13 C Advanced Implementations of Tables – Hash Tables.
Onion ORAM: A Constant Bandwidth Blowup ORAM

Onion ORAM: A Constant Bandwidth Blowup ORAM

Similar presentations

Ads by Google