Perfectly S Secure O Oblivious A s Algorithms s in t the M - - PowerPoint PPT Presentation

perfectly s secure o oblivious a s algorithms s in t the
SMART_READER_LITE
LIVE PREVIEW

Perfectly S Secure O Oblivious A s Algorithms s in t the M - - PowerPoint PPT Presentation

Feb 17, 2023 463 likes •815 views

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

slide-1
SLIDE 1

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting

T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi

slide-2
SLIDE 2

2

Server

Request sequence I response

De Defini ning ng an n Obl Oblivious us RAM

Adversary snoops on the address bus

Example request sequence I: Read(a1), Write(a2, d’), Read(a3) …

Client

slide-3
SLIDE 3

3

Server

response

De Defini ning ng an n Obl Oblivious us RAM

Security: for I and I’ of the same length, ORAM(I) ~ ORAM(I’) Sequence ORAM(I)

bandwidth: #mem locations accessed by ORAM(I) for every access

Request sequence I

  • Adversary (server) is semi-honest
  • No server computation

Client

slide-4
SLIDE 4

4

ORAM(I) ~ ORAM(I’) Computationally indistinguishable or Statistically indistinguishable

OR ORAM( M(I) ~ ~ OR ORAM( M(I’)

typically

Statistically indistinguishable: Adversary cannot distinguish with probability > negl(N) If N = polylog(𝜇) negl(N) ≠ negl(𝜇)

N = poly(𝜇)

negl(𝜇) Achieving negl(𝜇) difference using existing schemes is inefficient; bandwidth of Nc, c < 1

slide-5
SLIDE 5

5

Pe Perfectly-Se Secu cure OR ORAM

ORAM(I) ~ ORAM(I’) Identically distributed Existing perfectly-secure ORAMs: Bandwidth O(log3 N) [DMN’11, CNS’18]

slide-6
SLIDE 6

6

Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of

  • ffs

Perfectly-secure ORAMs Computationally or statistically-secure ORAMs O(log2 N/log log N)

[KLO’12]

O(log3 N)

[DMN’11, CNS’18]

Single-server Multi-server

response Request sequence I

Server S1 Server S2 Server Sk

. . .

viewAdv: denotes what the adversary can observe from the semi-honest corrupt servers Security: for I and I’ of the same length, viewAdv(I) and viewAdv(I’) are identically distributed

Client

slide-7
SLIDE 7

7

Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of

  • ffs
  • 1. Multi-server ORAMs were only computationally or statistically secure
  • 2. Are there inherent advantages in the multi-server setting?

Perfectly-secure ORAMs Computationally or statistically-secure ORAMs O(log2 N/log log N)

[KLO’12]

O(log3 N)

[DMN’11, CNS’18]

O(log N)

[LO’13]

O( O(lo log2 N) N) [This p paper] Single-server Multi-server

slide-8
SLIDE 8

8

Obl Oblivious us RAMs: Ms: Bandwi ndwidt dth h Trade de-of

  • ffs

Computationally or statistically-secure ORAMs Perfectly-secure ORAMs Single-server O(log2 N/log log N)

[KLO’12]

O(log3 N)

[DMN’11, CNS’18]

Multi-server O(log N)

[LO’13]

O( O(lo log2 N) N)

[T [This paper]

  • 1. Multi-server ORAMs were only computationally or statistically secure
  • 2. Are there inherent advantages in the multi-server setting?

O(log N) [AKLNS’18]

slide-9
SLIDE 9

9

Our Our Resul sults

Oblivious stable compaction and merging with O(N) bandwidth

Lower bound: Single-server oblivious stable compaction and merging requires Ω(N log N) bandwidth in the balls-and-bins model [LSX’18]

1

There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to perform

slide-10
SLIDE 10

10

Our Our Resul sults

Oblivious stable compaction and merging with O(N) bandwidth

1

There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve

2

ORAM scheme with O(log2 N) bandwidth

slide-11
SLIDE 11

11

3 8 7 … 2 5

Typically, shuffle is performed using oblivious sort

Oblivious Sort Incu curs O(N log N) Bandwidth

slide-12
SLIDE 12

12

Key Ide dea: Repl place ce Obl blivi vious us Sort rt With h Line near r Time Ope perations ns

slide-13
SLIDE 13

13

Pe Permutation-St Storage-Se Sepa paration n Paradi digm

7 … 2 5 8 3

Permute Server Storage Server Assumption: Data encrypted using perfectly-secure encryption scheme

slide-14
SLIDE 14

14

Pe Permutation-St Storage-Se Sepa paration n Paradi digm

7 … 2 5 8 3

Permute Server Storage Server Knows permutation Fisher-Yates: O(N) bandwidth Observes accesses O(1) bandwidth (assuming position is known)

Lu-Ostrovsky introduced this paradigm [LO’13]

  • Built cuckoo hash tables + used PRFs to access data
  • Computationally-secure
slide-15
SLIDE 15

15

O( O(N) Bandwidth Ob Obliviou

  • us Sor
  • rt?

Can we perform O(N) bandwidth oblivious sort using this paradigm?

  • Not aware of a solution
  • Comparison-based (non-oblivious) sorts incur O(N log N)
slide-16
SLIDE 16

16

Our Our Resul sults

Oblivious stable compaction and merging with O(N) bandwidth

1

There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve

2

ORAM scheme with O(log2 N) bandwidth

slide-17
SLIDE 17

17

Oblivious Tight Stable Compact ction

Input: n elements, some real, some dummy Output: n elements, all real elements at the beginning, order of real elements is preserved

slide-18
SLIDE 18

18

Server 1 Server 2

Attempt 1: Oblivious Tight Stable Compact ction

Protocol: Read block, if real, write to storage Pad with dummies Obliviousness: Each server observes a linear scan Server 2 observes write time steps

slide-19
SLIDE 19

19

Server 1: Permute

Oblivious Tight Stable Compact ction

Permute using 𝜌, determine destination *Remember head of linked-list *Maintain a dummy linked-list too

0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f e 1 2 3 a f 6 7 3 9 a b c d e f

Inverse permute: 𝜌-1

a 1 2 3 f 7 6 3 9 b a . c d e f

Reverse linear scan to create linked-list Permute using 𝜌 again

e 1 2 3 a f 6 7 3 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f

slide-20
SLIDE 20

20

Server 1: Permute

Oblivious Tight Stable Compact ction

Protocol:

  • Traverse real linked list followed by

dummy linked list

Server 2: Access

slide-21
SLIDE 21

21

Server 1: Permute

Oblivious Tight Stable Compact ction

Security: Server 1 permutes and performs linear scan. Does not observe accesses. Server 2 observes accesses, does not know permutation

Server 2: Access

slide-22
SLIDE 22

22

Ob Obliviou

  • us Merge

Output: Sorted list of n1 + n2 elements on S1 Input: S1 and S2 have semi-sorted lists with n1 and n2 elements resp.

Server S1 Server S2

slide-23
SLIDE 23

23

Our Our Resul sults

Oblivious stable compaction and merging with O(N) bandwidth

1

There exists a perfectly-secure 3-server scheme for a single semi-honest corruption to achieve

2

ORAM scheme with O(log2 N) bandwidth

slide-24
SLIDE 24

24

Hierarchi chical ORAM M [GO’9 ’96]

N reals N/2 reals N/4 reals Level log N Level log N - 1 Level 1

slide-25
SLIDE 25

25

Hierarchi chical ORAM M [GO’9 ’96]

N reals N/2 reals N/4 reals Level log N Level log N - 1 Level 1 [GO’96]: O(log N) sized buckets, block b stored in PRFk(b) Avoid PRF?

slide-26
SLIDE 26

26

Po Position-based Hierarch chical ORAM [CNS’1 S’18]

N reals N/2 reals N/4 reals Level log N Level log N - 1 Level 1 Store blocks shuffled uniformly at random Access a block:

  • Is the block stored at this level?
  • If yes, location?
  • else, location of a dummy?
slide-27
SLIDE 27

27

Po Position-based Hierarch chical ORAM [CNS’1 S’18]

N reals N/2 reals N/4 reals Level log N Level log N - 1 Level 1 For all levels,

  • Is the block stored at this level?
  • If yes, location?
  • else, location of a dummy?
slide-28
SLIDE 28

28

Po Position-based Hierarch chical ORAM [CNS’1 S’18]

Level log N Level log N - 1 Level 1

slide-29
SLIDE 29

29

Recu cursive Position-based Hierarch chical ORAM [CNS’ S’18]

Position-based ORAM at height-d Position-based ORAM at height-(d-1)

Block b at height-(d-1) stores the level and position of blocks 2b and 2b+1 at height-d

b 2b

2b+1

For all levels, positions of all blocks

height-d height-(d-1)

slide-30
SLIDE 30

30

Recu cursive Position-based Hierarch chical ORAM [CNS’ S’18]

Position-based ORAM at depth-d

  • Is the block stored at this level?
  • If yes, location?
  • Else, location of a dummy

Position-based ORAM at depth-(d-1)

Block b at depth-(d-1) stores the level and position of blocks 2b and 2b+1 at depth-d

b 2b

2b+1

For all levels,

height-d height-(d-1) Caveats:

  • 1. Does not handle dummies
  • 2. Cannot be used in a black-box

manner

slide-31
SLIDE 31

31

Co Co-ordinated Reshuffle Acr cross Hierarch chies

Position-based ORAM at height-d Position-based ORAM at height-(d-1)

Block b at height-(d-1) stores the level and position of blocks 2b and 2b+1 at depth-d For all levels, positions of all blocks

Co-ordinated reshuffle:

When level l at height-d is reshuffled, all levels ≤ l at height < d are reshuffled

height-d height-(d-1)

slide-32
SLIDE 32

32

Co Co-or

  • rdin

inated Shuffle fle in in the Mult lti-Ser Server er Se Setting

Permutation-Storage- Separation paradigm Linear time oblivious compaction + merging Linear time co-ordinated shuffle

slide-33
SLIDE 33

33

Concl clusion

  • Oblivious stable compaction and merging can be

performed with O(N) bandwidth using 3 servers

  • 3-server ORAM scheme with O(log2 N) amortized

bandwidth Thank You! kartik@cs.duke.edu