Privacy-preserving access of outsourced data via oblivious RAM simulation
04 Jul 2011-pp 576-587
TL;DR: This work describes schemes for the oblivious RAM simulation problem with a small logarithmic or polylogarithsmic amortized increase in access times, with a very high probability of success, while keeping the external storage to be of size O(n).
Abstract: We describe schemes for the oblivious RAM simulation problem with a small logarithmic or polylogarithmic amortized increase in access times, with a very high probability of success, while keeping the external storage to be of size O(n).
Citations
More filters
04 Nov 2013
TL;DR: Path ORAM as discussed by the authors is the most practical oblivious RAM protocol for small client storage known to date, which requires log 2 N / log X bandwidth overhead for block size B = X log N. Path ORAM has been adopted in the design of secure processors since its proposal.
Abstract: We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme for small client storage known to date. We formally prove that Path ORAM requires log^2 N / log X bandwidth overhead for block size B = X log N. For block sizes bigger than Omega(log^2 N), Path ORAM is asymptotically better than the best known ORAM scheme with small client storage. Due to its practicality, Path ORAM has been adopted in the design of secure processors since its proposal.
676 citations
01 Jan 2014
TL;DR: This paper proposes the first DSSE scheme that achieves the best of both worlds, i.e., both small leakage and efficiency, and provides an implementation of the scheme, showing its practical efficiency.
Abstract: In this paper we revisit the DSSE problem. We propose the first DSSE scheme that achieves the best of both worlds, i.e., both small leakage and efficiency. In particular, our DSSE scheme leaks significantly less information than any other previous DSSE construction and supports both updates and searches in sublinear time in the worst case, maintaining at the same time a data structure of only linear size. We finally provide an implementation of our construction, showing its practical efficiency.
427 citations
Cites background or methods from "Privacy-preserving access of outsou..."
...For a more detailed description of the o-sort algorithm please refer to [17]....
[...]
...Minimizing the leakage for DSSE can be achieved by using ORAM [3], [10], [13], [15], [17]–[19], [23]–[25], [27], [30], [35], [37], [38] to hide every memory access during searches and updates....
[...]
..., see the algorithm described in [17])....
[...]
...The DSSE problem can be solved by using oblivious RAM (ORAM) [3], [10], [13], [15], [17]–[19], [23]–[25], [27], [30], [35], [37], [38] as a black box....
[...]
17 May 2015
TL;DR: This work develops various showcase applications such as data mining, streaming algorithms, graph algorithms, genomic data analysis, and data structures, and demonstrates the scalability of ObliVM to bigger data sizes.
Abstract: We design and develop Obli VM, a programming framework for secure computation. ObliVM offers a domain specific language designed for compilation of programs into efficient oblivious representations suitable for secure computation. ObliVM offers a powerful, expressive programming language and user-friendly oblivious programming abstractions. We develop various showcase applications such as data mining, streaming algorithms, graph algorithms, genomic data analysis, and data structures, and demonstrate the scalability of ObliVM to bigger data sizes. We also show how ObliVM significantly reduces development effort while retaining competitive performance for a wide range of applications in comparison with hand-crafted solutions. We are in the process of open-sourcing ObliVM and our rich libraries to the community (www.oblivm.com), offering a reusable framework to implement and distribute new cryptographic algorithms.
344 citations
Posted Content•
TL;DR: In this article, the authors proposed a DSSE scheme that achieves the best of both worlds, i.e., both small leakage and efficiency, in the worst case, while maintaining a data structure of only linear size.
Abstract: Dynamic Searchable Symmetric Encryption (DSSE) enables a client to encrypt his document collection in a way that it is still searchable and efficiently updatable. However, all DSSE constructions that have been presented in the literature so far come with several problems: Either they leak a significant amount of information (e.g., hashes of the keywords contained in the updated document) or are inefficient in terms of space or search/update time (e.g., linear in the number of documents). In this paper we revisit the DSSE problem. We propose the first DSSE scheme that achieves the best of both worlds, i.e., both small leakage and efficiency. In particular, our DSSE scheme leaks significantly less information than any other previous DSSE construction and supports both updates and searches in sublinear time in the worst case, maintaining at the same time a data structure of only linear size. We finally provide an implementation of our construction, showing its practical efficiency.
332 citations
TL;DR: It is formally proved that Path ORAM has a O(log N) bandwidth cost for blocks of size B = Ω (log2 N) bits, and is asymptotically better than the best-known ORAM schemes with small client storage.
Abstract: We present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme known to date with small client storage. We formally prove that Path ORAM has a O(log N) bandwidth cost for blocks of size B = Ω (log2N) bits. For such block sizes, Path ORAM is asymptotically better than the best-known ORAM schemes with small client storage. Due to its practicality, Path ORAM has been adopted in the design of secure processors since its proposal.
316 citations
Cites background from "Privacy-preserving access of outsou..."
...Since then, a long-standing open question is whether it is possible to have an ORAM construction that has O(1) or poly log(N) client-side storage and O(logN) blocks bandwidth cost [13, 14, 22]....
[...]
References
More filters
TL;DR: This paper shows how to do an on-line simulation of an arbitrary RAM by a probabilistic oblivious RAM with a polylogaithmic slowdown in the running time, and shows that a logarithmic slowdown is a lower bound.
Abstract: Software protection is one of the most important issues concerning computer practice. There exist many heuristics and ad-hoc methods for protection, but the problem as a whole has not received the theoretical treatment it deserves. In this paper, we provide theoretical treatment of software protection. We reduce the problem of software protection to the problem of efficient simulation on oblivious RAM.A machine is oblivious if thhe sequence in which it accesses memory locations is equivalent for any two inputs with the same running time. For example, an oblivious Turing Machine is one for which the movement of the heads on the tapes is identical for each computation. (Thus, the movement is independent of the actual input.) What is the slowdown in the running time of a machine, if it is required to be oblivious? In 1979, Pippenger and Fischer showed how a two-tape oblivious Turing Machine can simulate, on-line, a one-tape Turing Machine, with a logarithmic slowdown in the running time. We show an analogous result for the random-access machine (RAM) model of computation. In particular, we show how to do an on-line simulation of an arbitrary RAM by a probabilistic oblivious RAM with a polylogaithmic slowdown in the running time. On the other hand, we show that a logarithmic slowdown is a lower bound.
1,752 citations
"Privacy-preserving access of outsou..." refers background or methods in this paper
...Keywords. oblivious RAM simulation, cuckoo hashing, sorting, outsourced data, privacy....
[...]
...With a constant-sized memory, we show that she can do this simulation with overhead O(log2 n), with a similarly high probability of success....
[...]
...We combine these results to achieve our improved oblivious RAM simulations by exploiting some of the unique performance characteristics of cuckoo hashing together with efficient data-oblivious methods for performing cuckoo hashing....
[...]
[...]
TL;DR: In this paper, a simple dictionary with worst case constant lookup time was presented, equaling the theoretical performance of the classic dynamic perfect hashing scheme of Dietzfelbinger et al.
Abstract: We present a simple dictionary with worst case constant lookup time, equaling the theoretical performance of the classic dynamic perfect hashing scheme of Dietzfelbinger et al. [SIAM J. Comput. 23 (4) (1994) 738-761]. The space usage is similar to that of binary search trees. Besides being conceptually much simpler than previous dynamic dictionaries with worst case constant lookup time, our data structure is interesting in that it does not use perfect hashing, but rather a variant of open addressing where keys can be moved back in their probe sequences. An implementation inspired by our algorithm, but using weaker hash functions, is found to be quite practical. It is competitive with the best known dictionaries having an average case (but no nontrivial worst case) guarantee on lookup time.
963 citations
17 Jan 2010
TL;DR: A simulation lemma is proved showing that a large class of PRAM algorithms can be efficiently simulated via MapReduce, and it is demonstrated how algorithms can take advantage of this fact to compute an MST of a dense graph in only two rounds.
Abstract: In recent years the MapReduce framework has emerged as one of the most widely used parallel computing platforms for processing data on terabyte and petabyte scales. Used daily at companies such as Yahoo!, Google, Amazon, and Facebook, and adopted more recently by several universities, it allows for easy parallelization of data intensive computations over many machines. One key feature of MapReduce that differentiates it from previous models of parallel computation is that it interleaves sequential and parallel computation. We propose a model of efficient computation using the MapReduce paradigm. Since MapReduce is designed for computations over massive data sets, our model limits the number of machines and the memory per machine to be substantially sublinear in the size of the input. On the other hand, we place very loose restrictions on the computational power of of any individual machine---our model allows each machine to perform sequential computations in time polynomial in the size of the original input.We compare MapReduce to the PRAM model of computation. We prove a simulation lemma showing that a large class of PRAM algorithms can be efficiently simulated via MapReduce. The strength of MapReduce, however, lies in the fact that it uses both sequential and parallel computation. We demonstrate how algorithms can take advantage of this fact to compute an MST of a dense graph in only two rounds, as opposed to Ω(log(n)) rounds needed in the standard PRAM model. We show how to evaluate a wide class of functions using the MapReduce framework. We conclude by applying this result to show how to compute some basic algorithmic problems such as undirected s-t connectivity in the MapReduce framework.
643 citations
"Privacy-preserving access of outsou..." refers background or methods in this paper
...In the MapReduce paradigm (e.g., see [19, 28]), a parallel computation is defined on a set of values, {x1, x2, . . . , xn}, and consists of a series of map, shuffle, and reduce steps: • A map step applies a mapping function, µ, to each value, xi, to produce a key-value pair, (ki, vi)....
[...]
...As an alternative, the MapReduce programming paradigm has been introduced to provide a simple approach to parallel programming (e.g., see [14, 19, 28])....
[...]
...In the MRC version of this model [28], the computation of ρ is restricted to use only O(n1− ) working storage, for a constant > 0....
[...]
...For instance, we can count the number of map-shuffle-reduce steps, t....
[...]
27 Oct 2008
TL;DR: A first practical system -- orders of magnitude faster than existing implementations -- that can execute over several queries per second on 1Tbyte+ databases with full computational privacy and correctness is built.
Abstract: We introduce a new practical mechanism for remote data storage with efficient access pattern privacy and correctness. A storage client can deploy this mechanism to issue encrypted reads, writes, and inserts to a potentially curious and malicious storage service provider, without revealing information or access patterns. The provider is unable to establish any correlation between successive accesses, or even to distinguish between a read and a write. Moreover, the client is provided with strong correctness assurances for its operations -- illicit provider behavior does not go undetected. We built a first practical system -- orders of magnitude faster than existing implementations -- that can execute over several queries per second on 1Tbyte+ databases with full computational privacy and correctness.
281 citations
"Privacy-preserving access of outsou..." refers methods in this paper
...We combine these results to achieve our improved oblivious RAM simulations by exploiting some of the unique performance characteristics of cuckoo hashing together with efficient data-oblivious methods for performing cuckoo hashing....
[...]
15 Aug 2010
TL;DR: In this paper, the oblivious RAM protocol was redesigned using modern tools, namely Cuckoo hashing and a new oblivious sorting algorithm, and the resulting protocol uses only O(n) external memory, and replaces each data request by O(log 2 n) requests.
Abstract: We reinvestigate the oblivious RAM concept introduced by Goldreich and Ostrovsky, which enables a client, that can store locally only a constant amount of data, to store remotely n data items, and access them while hiding the identities of the items which are being accessed. Oblivious RAM is often cited as a powerful tool, but is also commonly considered to be impractical due to its overhead, which is asymptotically efficient but is quite high. We redesign the oblivious RAM protocol using modern tools, namely Cuckoo hashing and a new oblivious sorting algorithm. The resulting protocol uses only O(n) external memory, and replaces each data request by only O(log2 n) requests.
269 citations