CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation Starting from software protection Prevent from software piracy A valid method is using hardware.

CS7380: Privacy Aware Computing

Oblivious RAM

•1

Motivation Starting from software protection

Prevent from software piracy A valid method is using hardware key to

protect the validity of the software; hardware key cannot be duplicated

Still the memory access between the HW and SW components can leak information Attacker can deceive or skip the checking

with the HW component

Oblivious RAM definition How to protect from observing memory

access pattern? Memory access is probabilistic The probabilistic distribution is independent

of the input

First solution: the square-root algorithm

1. For each accesses, randomly permute the first m+ memory 2. For accessing a word, check the sheltered words first. If it is there, we access one of the dummy words2. If it is not there, find the permuted location (i).

t steps of original RAM access can be simulated with t+sqrt(m) steps ORAM

Key operation Oblivious random permutation

Random mapping f: {1,2,..,n} -> {1,2,..,nlogn}, so that (i)=k if f(i) is the k-smallest in f(1)..f(n)

Using Batcher’s Sorting Network to sort permuted tags f(i) – the sequence of access if fixed, independent of input

binary search over the sorted tags f(i) to find (i)

Cost analysis Per access cost :

The hierarchical algorithm Each memory cell is modeled as (Vi, Xi)

Vi is the location, Xi is the value

Basic idea Consider the shelter memory as a buffer;

extend it to multiple levels of buffers Use oblivious hash function

Hierarchical scheme

Setting each level i has 4i buckets Each bucket has log t items, where t is the

total number of accesses by the current program

Total number of levels N = 1+ ceil(log4 t) Each level has a randomly selected hash

function

Initially Load program to the N level, which has 4t

buckets

For each level If (V, X) is already found, randomly pick a

bucket to access Otherwise, check the bucket h_i(V)

Put (V, X) to the 1st level (may cause overflowing to the lower levels). If the first i levels are full, move all 1 to i

levels to i+1 levels and empty the first i levels

Reading Check the bucket h_i(V)

from each level i Only one real match Remaining are dummy

entries

ClientServer

realdummydummydummydummy

dummy

Writing Chose a new hash

for level i+1, Shuffle

consecutively filled levels.

Write into next unfilled level.

Clear the source levels

Server (before) Server (after)Client

shufflevalues

Cost analysis time cost:

Each level cost O(log t), total log t levels Cost per access: O((log t)2) Hashing cost: O(t(log t)3)

Storage cost (t log t)

Improved schemes Paper: oblivious ram revisited Improvement

Storage O(n) Time O((log n)2) In context of cloud computing

Key idea Using Cuckoo hashing

Mapping n items to 2(1+e)n bins and at most a signle item is mapped into a bin

Reduce storage to O(n) Randomized shell sort

Williams and Sion solution Usable PIR. In NDSS, 2008.

Use O(sqrt(n)) secure client side memory and oblivious merge sort to improve the performance to O((log n)2)

Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage. In ACM CCS,2008 Use Bloom Filter to further improve the

performance to O(logn*loglog n)

A number of methods

Pinkas and Reinman

Remaining challenges Storage cost Reshuffling Client-server interactions

Most recent development http://www.emilstefanov.net/Research/O

bliviousRam/ Oblivious storage