5 research outputs found
What Storage Access Privacy is Achievable with Small Overhead?
Oblivious RAM (ORAM) and private information retrieval (PIR) are classic
cryptographic primitives used to hide the access pattern to data whose storage
has been outsourced to an untrusted server. Unfortunately, both primitives
require considerable overhead compared to plaintext access. For large-scale
storage infrastructure with highly frequent access requests, the degradation in
response time and the exorbitant increase in resource costs incurred by either
ORAM or PIR prevent their usage. In an ideal scenario, a privacy-preserving
storage protocols with small overhead would be implemented for these heavily
trafficked storage systems to avoid negatively impacting either performance
and/or costs. In this work, we study the problem of the best $\mathit{storage\
access\ privacy}\mathit{small\ overhead}\mathit{differential\ privacy\ access}\mathit{oblivious\ access}\epsilon = \Omega(\log n)\epsilon = \Theta(\log n)O(1)\epsilon = \Theta(\log n)O(\log\log n)$
overhead. This construction uses a new oblivious, two-choice hashing scheme
that may be of independent interest.Comment: To appear at PODS'1
Lower Bounds for Multi-Server Oblivious RAMs
In this work, we consider the construction of oblivious RAMs (ORAM) in a setting
with multiple servers and the adversary may corrupt a subset of the servers.
We present an overhead lower bound for any -server
ORAM that limits any PPT adversary to distinguishing advantage at most when
only one server is corrupted. In other words, if one insists on
negligible distinguishing advantage, then multi-server ORAMs cannot
be faster than single-server ORAMs even with polynomially many servers
of which only one unknown server is corrupted.
Our results apply to ORAMs that may err with probability at most
as well as scenarios where the adversary corrupts larger subsets of servers.
We also extend our lower bounds to other important data structures
including oblivious stacks, queues, deques, priority queues and search trees
What storage access privacy is achievable with small overhead?
Oblivious RAM (ORAM) and private information retrieval (PIR) are classic cryptographic primitives used to hide the access pattern to data whose storage has been outsourced to an untrusted server. Unfortunately, both primitives require considerable overhead compared to plaintext access. For large-scale storage infrastructure with highly frequent access requests, the degradation in response time and the exorbitant increase in resource costs incurred by either ORAM or PIR prevent their usage. In an ideal scenario, a privacy-preserving storage protocols with small overhead would be implemented for these heavily trafficked storage systems to avoid negatively impacting either performance and/or costs. In this work, we study the problem of the best em storage access privacy that is achievable with only em small overhead over plaintext access. To answer this question, we consider em differential privacy access which is a generalization of the em oblivious access security notion that are considered by ORAM and PIR. Quite surprisingly, we present strong evidence that constant overhead storage schemes may only be achieved with privacy budgets of ϵ = Ømega(łog n) with only overhead. In addition, we consider a more complex storage primitive called key-value storage in which data is indexed by keys from a large universe (as opposed to consecutive integers in ORAM and PIR). We present a differentially private key-value storage scheme with ϵ = Θ(łog n)O(łogłog n)$ overhead. This construction uses a new oblivious, two-choice hashing scheme that may be of independent interest
SoK: Differential Privacies
Shortly after it was first introduced in 2006, differential privacy became
the flagship data privacy definition. Since then, numerous variants and
extensions were proposed to adapt it to different scenarios and attacker
models. In this work, we propose a systematic taxonomy of these variants and
extensions. We list all data privacy definitions based on differential privacy,
and partition them into seven categories, depending on which aspect of the
original definition is modified.
These categories act like dimensions: variants from the same category cannot
be combined, but variants from different categories can be combined to form new
definitions. We also establish a partial ordering of relative strength between
these notions by summarizing existing results. Furthermore, we list which of
these definitions satisfy some desirable properties, like composition,
post-processing, and convexity by either providing a novel proof or collecting
existing ones.Comment: This is the full version of the SoK paper with the same title,
accepted at PETS (Privacy Enhancing Technologies Symposium) 202
Limits of Preprocessing for Single-Server PIR
We present a lower bound for the static cryptographic data structure problem of single-server private information retrieval (PIR). PIR considers the setting where a server holds a database of entries and a client wishes to privately retrieve the -th entry without revealing the index to the server. In our work, we focus on PIR with preprocessing where an -bit hint may be computed in a preprocessing stage and stored by the server to be used to perform private queries in expected time . We consider the public preprocessing setting of Beimel et al. [JoC, 2004] where the hint is publicly available to everyone including the adversary.
We prove that for any single-server computationally secure PIR with preprocessing it must be that when . If , we show that . Our lower bound holds even when the scheme errs with probability and the adversary’s distinguishing advantage is . Our work improves upon the lower bound of Beimel et al. [JoC, 2004].
We prove our lower bound in a variant of the cell probe model where only accesses to the memory are charged cost and computation and accesses to the hint are free. Our main technical contribution is a novel use of the cell sampling technique (also known as the incompressibility technique) used to obtain lower bounds on data structures. In previous works, this technique only leveraged the correctness guarantees to prove lower bounds even when used for cryptographic primitives. Our work combines the cell sampling technique with the privacy guarantees of PIR to construct a powerful, polynomial-time adversary that is critical to proving our higher lower bounds