16,914 research outputs found
Path ORAM: An Extremely Simple Oblivious RAM Protocol
We present Path ORAM, an extremely simple Oblivious RAM protocol with a small
amount of client storage. Partly due to its simplicity, Path ORAM is the most
practical ORAM scheme known to date with small client storage. We formally
prove that Path ORAM has a O(log N) bandwidth cost for blocks of size B =
Omega(log^2 N) bits. For such block sizes, Path ORAM is asymptotically better
than the best known ORAM schemes with small client storage. Due to its
practicality, Path ORAM has been adopted in the design of secure processors
since its proposal
Statistically-secure ORAM with Overhead
We demonstrate a simple, statistically secure, ORAM with computational
overhead ; previous ORAM protocols achieve only
computational security (under computational assumptions) or require
overheard. An additional benefit of our ORAM is its
conceptual simplicity, which makes it easy to implement in both software and
(commercially available) hardware.
Our construction is based on recent ORAM constructions due to Shi, Chan,
Stefanov, and Li (Asiacrypt 2011) and Stefanov and Shi (ArXiv 2012), but with
some crucial modifications in the algorithm that simplifies the ORAM and enable
our analysis. A central component in our analysis is reducing the analysis of
our algorithm to a "supermarket" problem; of independent interest (and of
importance to our analysis,) we provide an upper bound on the rate of "upset"
customers in the "supermarket" problem
A Simple ORAM
In this short note, we demonstrate a simple and practical ORAM that enjoys an extremely simple proof of security. Our construction is based on a recent ORAM due to Shi, Chan, Stefanov and Li (Asiacrypt\u2711), but
with some crucial modifications, which significantly simply the analysis
Path ORAM: An Extremely Simple Oblivious RAM Protocol
We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme for small client storage known to date. We formally prove that Path ORAM requires log^2 N / log X bandwidth overhead for block size B = X log N. For block sizes bigger than Omega(log^2 N), Path ORAM is asymptotically better than the best known ORAM scheme with small client storage. Due to its practicality, Path ORAM has been adopted in the design of secure processors since its proposal.National Science Foundation (U.S.). Graduate Research Fellowship Program (Grant DGE-0946797)National Science Foundation (U.S.). Graduate Research Fellowship Program (Grant DGE-1122374)American Society for Engineering Education. National Defense Science and Engineering Graduate FellowshipNational Science Foundation (U.S.) (Grant CNS-1314857)United States. Defense Advanced Research Projects Agency (Clean-slate design of Resilient, Adaptive, Secure Hosts Grant N66001-10-2-4089
Constants Count: Practical Improvements to Oblivious RAM
Oblivious RAM (ORAM) is a cryptographic primitive
that hides memory access patterns as seen by untrusted
storage. This paper proposes Ring ORAM, the most
bandwidth-efficient ORAM scheme for the small client
storage setting in both theory and practice. Ring ORAM
is the first tree-based ORAM whose bandwidth is independent
of the ORAM bucket size, a property that
unlocks multiple performance improvements. First,
Ring ORAM’s overall bandwidth is 2.3x to 4x better
than Path ORAM, the prior-art scheme for small client
storage. Second, if memory can perform simple untrusted
computation, Ring ORAM achieves constant online
bandwidth (~60x improvement over Path ORAM
for practical parameters). As a case study, we show Ring
ORAM speeds up program completion time in a secure
processor by 1.5x relative to Path ORAM. On the theory
side, Ring ORAM features a tighter and significantly
simpler analysis than Path ORAM
Sub-logarithmic Distributed Oblivious RAM with Small Block Size
Oblivious RAM (ORAM) is a cryptographic primitive that allows a client to
securely execute RAM programs over data that is stored in an untrusted server.
Distributed Oblivious RAM is a variant of ORAM, where the data is stored in
servers. Extensive research over the last few decades have succeeded to
reduce the bandwidth overhead of ORAM schemes, both in the single-server and
the multi-server setting, from to . However, all known
protocols that achieve a sub-logarithmic overhead either require heavy
server-side computation (e.g. homomorphic encryption), or a large block size of
at least .
In this paper, we present a family of distributed ORAM constructions that
follow the hierarchical approach of Goldreich and Ostrovsky [GO96]. We enhance
known techniques, and develop new ones, to take better advantage of the
existence of multiple servers. By plugging efficient known hashing schemes in
our constructions, we get the following results:
1. For any , we show an -server ORAM scheme with overhead, and block size . This scheme is
private even against an -server collusion. 2. A 3-server ORAM
construction with overhead and a block size
almost logarithmic, i.e. .
We also investigate a model where the servers are allowed to perform a linear
amount of light local computations, and show that constant overhead is
achievable in this model, through a simple four-server ORAM protocol
Deterministic, Stash-Free Write-Only ORAM
Write-Only Oblivious RAM (WoORAM) protocols provide privacy by encrypting the
contents of data and also hiding the pattern of write operations over that
data. WoORAMs provide better privacy than plain encryption and better
performance than more general ORAM schemes (which hide both writing and reading
access patterns), and the write-oblivious setting has been applied to important
applications of cloud storage synchronization and encrypted hidden volumes. In
this paper, we introduce an entirely new technique for Write-Only ORAM, called
DetWoORAM. Unlike previous solutions, DetWoORAM uses a deterministic,
sequential writing pattern without the need for any "stashing" of blocks in
local state when writes fail. Our protocol, while conceptually simple, provides
substantial improvement over prior solutions, both asymptotically and
experimentally. In particular, under typical settings the DetWoORAM writes only
2 blocks (sequentially) to backend memory for each block written to the device,
which is optimal. We have implemented our solution using the BUSE (block device
in user-space) module and tested DetWoORAM against both an encryption only
baseline of dm-crypt and prior, randomized WoORAM solutions, measuring only a
3x-14x slowdown compared to an encryption-only baseline and around 6x-19x
speedup compared to prior work
Recursive ORAMs with Practical Constructions
We present Recursive Square Root ORAM (R-SQRT), a simple and flexible ORAM that can be
instantiated for different client storage requirements. R-SQRT requires significantly less bandwidth than
Ring and Partition ORAM, the previous two best practical constructions in their respective classes of
ORAM according to client storage requirements. Specifically, R-SQRT is a 4x improvement in amortized
bandwidth over Ring ORAM for similar server storage. R-SQRT is also a 1.33-1.5x improvement over
Partition ORAM under the same memory restrictions. R-SQRT-AHE, a variant of R-SQRT, is a 1.67-
1.75x improvement over the reported Partition ORAM results in the same settings. All the while,
R-SQRT maintains a single data roundtrip per query. We emphasize the simplicity of R-SQRT which
uses straightforward security and performance proofs.
Additionally, we present Twice-Recursive Square Root ORAM (TR-SQRT) with smaller client stor-
age requirements. Due to its flexibility, we construct several instantiations under different memory
requirements. TR-SQRT is asymptotically competitive with previous results, yet remarkably simple
Weighted Oblivious RAM, with Applications to Searchable Symmetric Encryption
Existing Oblivious RAM protocols do not support the storage of data items of variable size in a non-trivial way. While the study of ORAM for items of variable size is of interest in and of itself, it is also motivated by the need for more performant and more secure Searchable Symmetric Encryption (SSE) schemes.
In this article, we introduce the notion of weighted ORAM, which supports the storage of blocks of different sizes.
In a standard ORAM scheme, each data block has a fixed size . In weighted ORAM, the size (or weight) of a data block is an arbitrary integer . The parameters of the weighted ORAM are entirely determined by an upper bound on the block size, and an upper bound on the total weight of all blocks\textemdash regardless of the distribution of individual weights . During write queries, the client is allowed to arbitrarily change the size of the queried data block, as long as the previous upper bounds continue to hold.
We introduce a framework to build efficient weighted ORAM schemes, based on an underlying standard ORAM satisfying a certain suitability criterion. This criterion is fulfilled by various Tree ORAM schemes, including Simple ORAM and Path ORAM. We deduce several instantiations of weighted ORAM, with very little overhead compared to standard ORAM. As a direct application, we obtain efficient SSE constructions with attractive security properties
- …