What Storage Access Privacy is Achievable with Small Overhead?

Oblivious RAM (ORAM) and private information retrieval (PIR) are classic cryptographic primitives used to hide the access pattern to data whose storage has been outsourced to an untrusted server. Unfortunately, both primitives require considerable overhead compared to plaintext access. For large-scale storage infrastructure with highly frequent access requests, the degradation in response time and the exorbitant increase in resource costs incurred by either ORAM or PIR prevent their usage. In an ideal scenario, a privacy-preserving storage protocols with small overhead would be implemented for these heavily trafficked storage systems to avoid negatively impacting either performance and/or costs. In this work, we study the problem of the best $\mathit{storage\ access\ privacy}$that is achievable with only$\mathit{small\ overhead}$over plaintext access. To answer this question, we consider$\mathit{differential\ privacy\ access}$which is a generalization of the$\mathit{oblivious\ access}$security notion that are considered by ORAM and PIR. Quite surprisingly, we present strong evidence that constant overhead storage schemes may only be achieved with privacy budgets of$\epsilon = \Omega(\log n)$. We present asymptotically optimal constructions for differentially private variants of both ORAM and PIR with privacy budgets$\epsilon = \Theta(\log n)$with only$O(1)$overhead. In addition, we consider a more complex storage primitive called key-value storage in which data is indexed by keys from a large universe (as opposed to consecutive integers in ORAM and PIR). We present a differentially private key-value storage scheme with$\epsilon = \Theta(\log n)$and$O(\log\log n)$ overhead. This construction uses a new oblivious, two-choice hashing scheme that may be of independent interest.Comment: To appear at PODS'1

Metastability of Logit Dynamics for Coordination Games

Logit Dynamics [Blume, Games and Economic Behavior, 1993] are randomized best response dynamics for strategic games: at every time step a player is selected uniformly at random and she chooses a new strategy according to a probability distribution biased toward strategies promising higher payoffs. This process defines an ergodic Markov chain, over the set of strategy profiles of the game, whose unique stationary distribution is the long-term equilibrium concept for the game. However, when the mixing time of the chain is large (e.g., exponential in the number of players), the stationary distribution loses its appeal as equilibrium concept, and the transient phase of the Markov chain becomes important. It can happen that the chain is "metastable", i.e., on a time-scale shorter than the mixing time, it stays close to some probability distribution over the state space, while in a time-scale multiple of the mixing time it jumps from one distribution to another. In this paper we give a quantitative definition of "metastable probability distributions" for a Markov chain and we study the metastability of the logit dynamics for some classes of coordination games. We first consider a pure $n$-player coordination game that highlights the distinctive features of our metastability notion based on distributions. Then, we study coordination games on the clique without a risk-dominant strategy (which are equivalent to the well-known Glauber dynamics for the Curie-Weiss model) and coordination games on a ring (both with and without risk-dominant strategy)

Minimal Path Length of Trees with Known Fringe

In this paper we continue the study of the path length of trees with known fringe as initiated by [1] and [2]. We compute the path length of the minimal tree with given number of leaves N and fringe ∆ for the case ∆ ≥ N/2. This complements the result of [2] that studied the case ∆ ≤ N/2. Our methods also yields a linear time algorithm for constructing the minimal tree when ∆ ≥ N/2

Convergence to Equilibrium of Logit Dynamics for Strategic Games

We present the first general bounds on the mixing time of the Markov chain associated to the logit dynamics for wide classes of strategic games. The logit dynamics with inverse noise beta describes the behavior of a complex system whose individual components act selfishly and keep responding according to some partial ("noisy") knowledge of the system, where the capacity of the agent to know the system and compute her best move is measured by the inverse of the parameter beta. In particular, we prove nearly tight bounds for potential games and games with dominant strategies. Our results show that, for potential games, the mixing time is upper and lower bounded by an exponential in the inverse of the noise and in the maximum potential difference. Instead, for games with dominant strategies, the mixing time cannot grow arbitrarily with the inverse of the noise. Finally, we refine our analysis for a subclass of potential games called graphical coordination games, a class of games that have been previously studied in Physics and, more recently, in Computer Science in the context of diffusion of new technologies. We give evidence that the mixing time of the logit dynamics for these games strongly depends on the structure of the underlying graph. We prove that the mixing time of the logit dynamics for these games can be upper bounded by a function that is exponential in the cutwidth of the underlying graph and in the inverse of noise. Moreover, we consider two specific and popular network topologies, the clique and the ring. For games played on a clique we prove an almost matching lower bound on the mixing time of the logit dynamics that is exponential in the inverse of the noise and in the maximum potential difference, while for games played on a ring we prove that the time of convergence of the logit dynamics to its stationary distribution is significantly shorter

CacheShuffle: A Family of Oblivious Shuffles

We consider oblivious two-party protocols where a client outsources N blocks of private data to a server. The client wishes to access the data to perform operations in such a way that the access pattern does not leak information about the data and the operations. In this context, we consider oblivious shuffling with a focus on bandwidth efficient protocols for clients with small local memory. In the shuffling problem, the N outsourced blocks, B_1,...,B_N, are stored on the server according to an initial permutation pi. The client wishes to reshuffle the blocks according to permutation sigma. Oblivious shuffling is a building block in several applications that hide patterns of data access. In this paper, we introduce a generalization of the oblivious shuffling problem, the K-oblivious shuffling problem, and provide bandwidth efficient algorithms for a wide range of client storage requirements. The task of a K-oblivious shuffling algorithm is to shuffle N encrypted blocks that were previously randomly allocated on the server in such a way that an adversarial server learns nothing about either the new allocation of blocks or the block contents. The security guarantee must hold when an adversary has partial information on the initial placement of a subset of K <=N revealed blocks. The notion of oblivious shuffling is obtained for K=N. We first study the N-oblivious shuffling problem and start by presenting CacheShuffleRoot, that is tailored for clients with O(sqrt{N}) blocks of memory and uses approximately 4N blocks of bandwidth. CacheShuffleRoot is a 4x improvement over the previous best known N-oblivious shuffle for practical sizes of N. We then generalize CacheShuffleRoot to CacheShuffle that can be instantiated for any client memory size S and requires O(N log_S N) blocks of bandwidth. Next, we present K-oblivious shuffling algorithms that require 2N + f(K,S) blocks of bandwidth for all K and a wide range of S. Any extra bandwidth above the 2N lower bound depends solely on K and S. Specifically, for clients with O(K) blocks of memory, we present KCacheShuffleBasic that uses exactly 2N blocks of bandwidth. For clients with memory S <= K, we present KCacheShuffle, that requires 2N + O(K log_S K) blocks of bandwidth. Finally, motivated by applications to ORAMs, we consider the case where the server stores D dummy blocks whose contents are irrelevant in addition to the N real blocks. For this case, we design algorithm KCacheShuffleDummy that shuffles N+D blocks with K revealed blocks using O(K) blocks of client storage and approximately D+2N blocks of bandwidth

Constant-Round Concurrent Non-Malleable Zero Knowledge in the Bare Public-Key Model

One of the central questions in Cryptography is the design of round-efficient protocols that are secure under concurrent man-in-the- middle attacks. In this paper we present the first constant-round concurrent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model [Canetti et al., STOC 2000], resolving one of the major open problems in this area. To achieve our result, we introduce and study the notion of non-malleable witness indistinguishability, which is of independent interest. Previous results either achieved relaxed forms of concurrency/security or needed stronger setup assumptions or required a non-constant round complexity