1. CS7380: Privacy Aware Computing Oblivious RAM 1

2. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware key to protect the validity of the software; hardware key cannot be duplicated Still the memory access between the HW and SW components can leak information  Attacker can deceive or skip the checking with the HW component

3. Oblivious RAM definition  How to protect from observing memory access pattern? Memory access is probabilistic The probabilistic distribution is independent of the input

4. First solution: the square-root algorithm 1.For each accesses, randomly permute the first m+ memory 2.For accessing a word, check the sheltered words first. If it is there, we access one of the dummy words 2. If it is not there, find the permuted location  (i). t steps of original RAM access can be simulated with t+sqrt(m) steps ORAM

5. Key operation  Oblivious random permutation Random mapping f: {1,2,..,n} -> {1,2,..,n logn }, so that (i)=k if f(i) is the k- smallest in f(1)..f(n) Using Batcher’s Sorting Network to sort permuted tags f(i) – the sequence of access if fixed, independent of input  binary search over the sorted tags f(i) to find (i)

6. Cost analysis  Per access cost :

7. The hierarchical algorithm  Each memory cell is modeled as (Vi, Xi) Vi is the location, Xi is the value  Basic idea Consider the shelter memory as a buffer; extend it to multiple levels of buffers Use oblivious hash function

8. Hierarchical scheme

9. Setting  each level i has 4 i buckets  Each bucket has log t items, where t is the total number of accesses by the current program  Total number of levels N = 1+ ceil(log 4 t)  Each level has a randomly selected hash function

10.  Initially Load program to the N level, which has 4t buckets  For each level If (V, X) is already found, randomly pick a bucket to access Otherwise, check the bucket h_i(V)  Put (V, X) to the 1 st level (may cause overflowing to the lower levels). If the first i levels are full, move all 1 to i levels to i+1 levels and empty the first i levels

11.  Reading Check the bucket h_i(V) from each level i Only one real match Remaining are dummy entries Client Server real dummy

12.  Writing Chose a new hash for level i+1, Shuffle consecutively filled levels. Write into next unfilled level. Clear the source levels Server (before) Server (after) Client shuffle values

13. Cost analysis  time cost: Each level cost O(log t), total log t levels Cost per access: O((log t) 2 ) Hashing cost: O(t(log t) 3 )  Storage cost (t log t)

14. Improved schemes  Paper: oblivious ram revisited  Improvement Storage O(n) Time O((log n) 2 ) In context of cloud computing  Key idea Using Cuckoo hashing  Mapping n items to 2(1+e)n bins and at most a signle item is mapped into a bin  Reduce storage to O(n) Randomized shell sort

15. Williams and Sion solution  Usable PIR. In NDSS, 2008.  Use O(sqrt(n)) secure client side memory and oblivious merge sort to improve the performance to O((log n) 2 )  Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage. In ACM CCS,2008 Use Bloom Filter to further improve the performance to O(logn*loglog n)

16. A number of methods Pinkas and Reinman

17. Remaining challenges  Storage cost  Reshuffling  Client-server interactions

18. Most recent development  http://www.emilstefanov.net/Research/ ObliviousRam/ http://www.emilstefanov.net/Research/ ObliviousRam/  Oblivious storage