Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi
Defini De ning ng an n Obl Oblivious us RAM Example request sequence I: Read(a1), Write(a2, d’), Read(a3) … Request sequence I Adversary response snoops on the Client address bus Server 2
De Defini ning ng an n Obl Oblivious us RAM - Adversary (server) is semi-honest - No server computation Request Sequence sequence I ORAM(I) Security: for I and I’ of the same response length, Client ORAM(I) ~ ORAM(I’) Server bandwidth: #mem locations accessed by ORAM(I) for every access 3
OR ORAM( M(I) ~ ~ OR ORAM( M(I’) Computationally indistinguishable or typically ORAM(I) ~ ORAM(I’) Statistically indistinguishable Statistically Adversary cannot distinguish with probability indistinguishable: > negl(N) negl( 𝜇 ) N = poly( 𝜇 ) If N = polylog ( 𝜇 ) negl(N) ≠ negl( 𝜇 ) Achieving negl( 𝜇 ) difference using existing schemes is inefficient; bandwidth of N c , c < 1 4
Pe Perfectly-Se Secu cure OR ORAM ORAM(I) ~ ORAM(I’) Identically distributed Existing perfectly-secure ORAMs: Bandwidth O(log 3 N) [DMN’11, CNS’18] 5
Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of offs Computationally or Perfectly-secure statistically-secure view Adv : denotes what the ORAMs ORAMs Server S 1 Request adversary can observe from the O(log 3 N) O(log 2 N/log log N) sequence I Single-server semi-honest corrupt servers Server S 2 [DMN’11, CNS’18] [KLO’12] . . . Multi-server response Security: Client Server S k for I and I’ of the same length, view Adv (I) and view Adv (I’) are identically distributed 6
Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of offs Computationally or Perfectly-secure statistically-secure ORAMs ORAMs O(log 3 N) O(log 2 N/log log N) Single-server [DMN’11, CNS’18] [KLO’12] log 2 N) O(lo O( N) O(log N) Multi-server [This p paper] [LO’13] 1. Multi-server ORAMs were only computationally or statistically secure 2. Are there inherent advantages in the multi-server setting? 7
Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of offs O(log N) [AKLNS’18] Computationally or statistically-secure Perfectly-secure ORAMs ORAMs Single-server O(log 2 N/log log N) O(log 3 N) [KLO’12] [DMN’11, CNS’18] log 2 N) O(log N) O( O(lo N) Multi-server [LO’13] [T [This paper] 1. Multi-server ORAMs were only computationally or statistically secure 2. Are there inherent advantages in the multi-server setting? 8
Our Our Resul sults There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to perform 1 Oblivious stable compaction and merging with O(N) bandwidth Lower bound: Single-server oblivious stable compaction and merging requires Ω(N log N) bandwidth in the balls-and-bins model [LSX’18] 9
Our Our Resul sults There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve 1 Oblivious stable compaction and merging with O(N) bandwidth 2 ORAM scheme with O(log 2 N) bandwidth 10
Oblivious Sort Incu curs O(N log N) Bandwidth 3 8 7 … 5 2 Typically, shuffle is performed using oblivious sort 11
Key Ide dea: Repl place ce Obl blivi vious us Sort rt With h Line near r Time Ope perations ns 12
Pe Permutation-St Storage-Se Sepa paration n Paradi digm Permute Server Storage Server 8 7 … 3 5 2 Assumption: Data encrypted using perfectly-secure encryption scheme 13
Pe Permutation-St Storage-Se Sepa paration n Paradi digm Permute Server Storage Server 5 … 7 8 2 3 Observes accesses Knows permutation O(1) bandwidth Fisher-Yates: O(N) bandwidth (assuming position is known) Lu-Ostrovsky introduced this paradigm [LO’13] - Built cuckoo hash tables + used PRFs to access data - Computationally-secure 14
O( O(N) Bandwidth Ob Obliviou ous Sor ort? Can we perform O(N) bandwidth oblivious sort using this paradigm? - Not aware of a solution - Comparison-based (non-oblivious) sorts incur O(N log N) 15
Our Our Resul sults There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve 1 Oblivious stable compaction and merging with O(N) bandwidth 2 ORAM scheme with O(log 2 N) bandwidth 16
Oblivious Tight Stable Compact ction Input: n elements, some real, some dummy Output: n elements, all real elements at the beginning, order of real elements is preserved 17
Attempt 1: Oblivious Tight Stable Compact ction Server 1 Server 2 Protocol: Read block, if real, write to storage Pad with dummies Obliviousness: Each server observes a linear scan Server 2 observes write time steps 18
Oblivious Tight Stable Compact ction Server 1: Permute *Remember head of linked-list *Maintain a dummy linked-list too 0 1 2 3 4 5 6 7 8 9 a b c d e f Permute using 𝜌 , determine destination 0 1 2 3 4 5 6 7 8 9 a b c d e f Inverse permute: 𝜌 -1 e 1 2 3 a f 6 7 3 9 a b c d e f e 1 2 3 a f 6 7 3 9 a b c d e f Reverse linear scan to create linked-list a 1 2 3 f 7 6 3 9 b a . c d e f Permute using 𝜌 again 0 1 2 3 4 5 6 7 8 9 a b c d e f 19
Oblivious Tight Stable Compact ction Server 1: Permute Server 2: Access Protocol: - Traverse real linked list followed by dummy linked list 20
Oblivious Tight Stable Compact ction Server 1: Permute Server 2: Access Security: Server 1 permutes and performs linear scan. Does not observe accesses. Server 2 observes accesses, does not know permutation 21
Ob Obliviou ous Merge Input: S 1 and S 2 have semi-sorted lists with n 1 and n 2 elements resp. Server S 1 Server S 2 Output: Sorted list of n 1 + n 2 elements on S 1 22
Our Our Resul sults There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve 1 Oblivious stable compaction and merging with O(N) bandwidth 2 ORAM scheme with O(log 2 N) bandwidth 23
Hierarchi chical ORAM M [GO’9 ’96] Level 1 N/4 reals N/2 reals Level log N - 1 N reals Level log N 24
Hierarchi chical ORAM M [GO’9 ’96] Level 1 [GO’96]: O(log N) sized buckets, block b stored in PRF k (b) Avoid PRF? N/4 reals N/2 reals Level log N - 1 N reals Level log N 25
Position-based Hierarch Po chical ORAM [CNS’1 S’18] Level 1 Store blocks shuffled uniformly at random Access a block: - Is the block stored at this level? N/4 reals - If yes, location? - else, location of a dummy? N/2 reals Level log N - 1 N reals Level log N 26
Po Position-based Hierarch chical ORAM [CNS’1 S’18] Level 1 For all levels, - Is the block stored at this level? - If yes, location? N/4 reals - else, location of a dummy? N/2 reals Level log N - 1 N reals Level log N 27
Po Position-based Hierarch chical ORAM [CNS’1 S’18] Level 1 Level log N - 1 Level log N 28
Recu cursive Position-based Hierarch chical ORAM [CNS’ S’18] Position-based ORAM at height-(d-1) Block b at height-(d-1) stores the height-(d-1) b level and position of blocks 2b and 2b+1 at height-d Position-based ORAM at height-d height-d For all levels, positions of all blocks 2b 2b+1 29
Recu cursive Position-based Hierarch chical ORAM [CNS’ S’18] Position-based ORAM at depth-(d-1) Block b at depth-(d-1) stores the height-(d-1) b level and position of blocks 2b Caveats: and 2b+1 at depth-d 1. Does not handle dummies 2. Cannot be used in a black-box Position-based ORAM at depth-d height-d manner For all levels, - Is the block stored at this level? - If yes, location? 2b - Else, location of a dummy 2b+1 30
Co Co-ordinated Reshuffle Acr cross Hierarch chies Position-based ORAM at height-(d-1) Block b at height-(d-1) stores the height-(d-1) level and position of blocks 2b Co-ordinated reshuffle: and 2b+1 at depth-d When level l at height-d is reshuffled, all levels ≤ l at height < d are reshuffled Position-based ORAM at height-d height-d For all levels, positions of all blocks 31
Co Co-or ordin inated Shuffle fle in in the Mult lti-Ser Server er Se Setting Permutation-Storage- Linear time oblivious Separation paradigm compaction + merging Linear time co-ordinated shuffle 32
Concl clusion - Oblivious stable compaction and merging can be performed with O(N) bandwidth using 3 servers - 3-server ORAM scheme with O(log 2 N) amortized bandwidth Thank You! kartik@cs.duke.edu 33
Recommend
More recommend
