Scaling ORAM for Secure Computation

Transcription

1 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Scling ORAM fo Secue Computtion ABSTRACT Jck Doene Nothesten Univesity We design nd implement Distiuted Olivious Rndom Access Memoy (DORAM) dt stuctue tht is optimized fo use in twopty secue computtion potocols We impove upon the ccess time of pevious constuctions y fcto of up to ten, thei memoy ovehed y fcto of one hunded o moe, nd thei initiliztion time y fcto of thousnds We e le to instntite ORAMs tht hold 4 ytes, nd pefom opetions on them in seconds, which ws not peviously fesile with ny implemented scheme Unlike pio ORAM constuctions sed on hiechicl hshing [9], pemuttion [9], o tees [9], ou Distiuted ORAM is deived fom the new Function Secet Shing scheme intoduced y Boyle, Gilo nd Ishi [, ] This significntly educes the mount of secue computtion equied to implement n ORAM ccess, leit t the cost of O(n) efficient locl memoy opetions We implement ou constuction nd find tht, despite its poo O(n) symptotic compleity, it still outpefoms the fstest peviously known constuctions, Cicuit ORAM [4] nd Sque-oot ORAM [55], fo dtsets tht e KiB o lge, nd outpefoms pio wok on pplictions such s stle mtching [6] o iny sech [] y fctos of two to ten INTRODUCTION In spite of the sustntil impovements to the efficiency of twopty secue computtion potocols, they still encounte mjo ostcles when evluting mny types of functions In pticul, functions tht mke dt-dependent ccesses to memoy emin difficult cses A dt-dependent memoy ccess is n ccess to n element within n y, t n inde i tht is computed fom some secet input A secue computtion potocol must guntee tht no infomtion out its inputs is leked to eithe pty, even vi intemedite computtions, nd thus it must e le to eecute such memoy ccesses without leking ny its of i Dt-dependent memoy ccesses e common even in tetook lgoithms; they e equied y, fo emple, iny sech, most gph lgoithms, spse mti methods, geedy lgoithms, nd dynmic pogmming lgoithms Moe genelly, they e equied y ny pogm tht is witten in the RAM model of computtion Any ttempt to evlute such n lgoithm in secue Pemission to mke digitl o hd copies of ll o pt of this wok fo pesonl o clssoom use is gnted without fee povided tht copies e not mde o distiuted fo pofit o commecil dvntge nd tht copies e this notice nd the full cittion on the fist pge Copyights fo components of this wok owned y othes thn the utho(s) must e honoed Astcting with cedit is pemitted To copy othewise, o epulish, to post on seves o to edistiute to lists, equies pio specific pemission nd/o fee Request pemissions fom pemissions@cmog CCS 7, Octoe -Noveme, 7, Dlls, TX, USA 7 Copyight held y the owne/utho(s) Puliction ights licensed to Assocition fo Computing Mchiney ACM ISBN /7/ $5 hi shelt Nothesten Univesity hi@neuedu contet upon lge dtset cetinly equies n efficient dtdependent memoy ccess mechnism The simplest solution to this polem is the line scn technique, which hides the inde of n ccessed element y touching evey element in the memoy nd using multiplees to ensue tht only the desied element is ctully ed o witten This effectively ensues dt-oliviousness, ut it equies n epensive secue computtion involving O(n) gtes fo ech individul memoy ccess With ccesses incuing ovehed line in the size of the entie memoy, scnning is impcticl fo ll ut the smllest mounts of dt Anothe solution is Olivious Rndom Access Memoy (ORAM) Intuitively, ORAM is technique to tnsfom memoy ccess to secet inde i into sequence of memoy ccesses tht cn e eveled to n dvesy, the indices of which ppe independent of i ORAM ws fist poposed y Goldeich nd Ostovsky in thei seminl ppe [9], which studied the genel contet of client-seve memoy outsoucing In this setting, client wishes to pefom computtion on dtse of size n, which is held y some untusted seve, ut does not wnt the seve to len the semntic ptten of ccesses to the dtse Goldeich nd Ostovsky poposed two schemes to solve this polem, the second of which equies tht the client pefom O(polylog n) ccesses to the dtse fo evey ccess in the client s oiginl pogm In the susequent two decdes, ORAM techniques hve een widely studied [7,, 4, 8,, 9, 5, 8, 4, 45 47] with the gols of educing the communiction ovehed etween the client nd seve, educing the mount of memoy equied of the client, nd educing the seve s ovell memoy ovehed Stte of the t ppoches to ORAM design limit the ovehed in ll of these mesues to O(log c n) whee c ORAM cn e pplied to the domin of secue computtion y implementing ORAM client opetions s secue functions, while the mutully-untusting computtion pties she the ole of the ORAM seve This ngement ws poposed y Ostovsky nd Shoup [4], who used it to show tht secue computtions need not tke time line in the size of thei input It ws lte tken up y Godon et l [] Susequently, the development of secuecomputtion-specific ORAMs egn Wng et l [4] oseved tht memoy nd communiction ovehed, the metics fo which ORAM hd tditionlly een optimized, wee inppopite fo the contet of secue computtion They poposed tht cicuit compleity is moe elevnt mesue, nd descied heuistic ORAM sed on this ide Susequently, Wng et l [4] poposed Cicuit ORAM, which offes symptoticlly stong pmetes fo dt-stuctue with smll cicuit compleity Zhu et l [55] oseved tht y eling symptotic ounds, it is possile to poduce scheme tht hs smlle concete cicuit size They descied modifiction of the oiginl Goldeich- Ostovsky Sque-oot ORAM tht is symptoticlly infeio to Cicuit ORAM, ut outpefoms it fo dt sizes up to 4 MiB 5

2 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Although they epesent dmtic impovement ove initil effots, the ORAM constuctions of Godon et l, Zhu et l, nd Wng et l suffe dwcks Fo instnce, they e ll ecusively stuctued Tht is, ccessing the top level ORAM dt stuctue fo n elements equies ecusively ccessing nothe ORAM dt stuctue of size n/8 elements, nd so on, ech lye dding communiction ound As esult, ech semntic ccess equies ccessing O(log n) diffeent ORAM lyes, incuing O(log n) ounds of communiction nd ltency These constuctions lso hve high concete memoy ovehed, due in pt to thei ecusive ntue nd to the fct tht they stoe wie lels fo ech it of thei memoy, ech wie lel eing t lest 8 times lge thn the dt it epesents All pio esech effots of which we e we epot on concete epeiments tht involve t most elements In ou own epeiments, we confim tht the constuctions they descie cnnot hndle moe elements in esonle mount of time nd spce The lst, nd possily most significnt polem is initiliztion In mny cses, n ORAM must e filled with some initil dt efoe it cn e used Cicuit ORAM equies n individul wite into ech element, pocess tht is etemely epensive: we oseved it to equie moe thn seconds fo modetely-sized memoy of 5 elements Zhu et l s Sque-oot ORAM is symptoticlly simil, ut uses pemuttion netwok [4] insted of individul wites to chieve constnt-fcto impovement of oughly Nevetheless, even fo modetely-sized memoies, initiliztion is significnt cost These ottlenecks limit the use of secue computtion potocols mostly to dt-independent lgoithms (eg AES [6], edit distnce [44], o line egession []) o RAM pogms tht eploit specific lgoithmic popeties to estict thei ccess pttens (eg BFS [6], Dijkst s lgoithm [7], o stle mtching [6]) Contiutions We popose new dt stuctue tht ddesses the dwcks discussed peviously, nd we demonstte the fist concete secue computtion memoy implementtion tht is cple of hosting dt t the scle of mny gigytes Ou scheme hs fste ccess times thn ll pio constuctions fo memoies tht e lge thn KiB, nd, s it does not hve ny ecusive components, ech ccess equies only thee ounds in pinciple Unlike pio ORAMs, ou dt stuctue suppots ed nd wite opetions independently, nd cn pefom ed opetions sustntilly fste Insted of stoing wie lels, we stoe eithe XOR-shes o encyptions of the dt, nd theey educe the memoy ovehed to smll constnt Additionlly, we hve line-time method to fill ou stuctue with initil dt tht equies no secue computtion As esult, n instnce with 4-yte elements cn e initilized in 4 milliseconds, oughly times fste thn the est pio initiliztion technique fom Zhu et l s Sque-oot ORAM [55] We show tht ou dvntges hold not only in micoenchmks, Wng et l [4] epot on n instnce of Cicuit ORAM stoing 4-yte elements using n olde implementtion of Cicuit ORAM tht stoes its dt s XOR-shes insted of wie lels, ut they do not epot concete pefomnce figues fo tht size In this ppe we evlute the fste implementtion epoted y Zhu et l [55]; with this implementtion, n instnce of Cicuit ORAM lge thn 64 MiB ehusts the GiB of memoy in ech of ou two test mchines See Figue 8d ut lso in peviously-pulished ppliction contets such s iny sech nd stle mtching In contst to most pio secue computtion ORAM esech, we conside the Distiuted ORAM model [], nd deive ou scheme fom two-seve Pivte Infomtion Retievl (PIR) techniques In PIR, client wishes to etieve n element A i t inde i in dtse A, copies of which e held y two seves The client issues quey q (i) to seve nd quey q (i) to seve, nd the seves espond with shot messges m nd m espectively, which the client cn use to econstuct A i PIR schemes must stisfy two popeties: the totl communiction etween client nd seves must e su-line in n, nd the quey q p (i) in isoltion must evel no infomtion out i Gilo nd Ishi [7] nd Boyle, Gilo, nd Ishi [] ecently pesented supisingly efficient PIR constuction tht is sed on the notion of function secet shing (FSS) scheme fo distiuted point function (DPF) Thei constuction offes popeties new to PIR which mke it well-suited fo use in n ORAM fo secue computtion In pticul, it poduces quey messge of size O(log n), s opposed to the size of O (n / ) equied y mny PIR schemes [5], nd it equies only cyptogphic pseudo-ndom geneto, whees othe PIR schemes with logithmic quey size equie pulic key cyptogphy We discuss the specifics of this pimitive in Section In ou constuction, the pties to the secue computtion, Alice nd Bo, lso ct s the two seves in the PIR scheme, nd secue computtion pefoms the ole of the client Owing to the efficiency of FSS, ou ORAM equies vey smll secue computtion in compison to pio ORAM designs (up to one hunded times smlle fo the memoy sizes tht we eploe) The second novel popety offeed y Boyle et l s PIR scheme is suppot fo PIR-witing, which we use to implement ORAM wite opetions, in comintion with stndd stsh dt stuctue tht etins updted elements until they cn e eintegted into the ORAM s min memoy The secue computtion needed to implement the stsh hs n motized computtion nd communiction compleity of O( n) pe ccess; howeve, s demonstted y Zhu et l [55], even schemes with compleity of O ( n log n) cn outpefom poly-logithmic schemes in pctice Ou stsh eintegtion pocedue is elted to ou initiliztion pocedue, nd similly equies line time with no secue computtion The theoeticl disdvntge of ou PIR-deived ORAM stems fom the fct tht the seves in PIR scheme (ie, Alice nd Bo, in ou cse) must pefom O(n) locl computtion This is n unvoidle popety of ny PIR system Howeve, unlike the O(n) secue computtion equied y tditionl line scn, this computtion is simple, highly pllelizle, nd enjoys widesped hdwecceletion suppot In pctice, secue computtion potocols e typiclly ottlenecked y netwok o single-coe CPU pefomnce nd utilize vey smll potion of the totl computtionl powe nd memoy ndwidth ville with moden hdwe; thus, the ppoch of eplcing secue computtion with symptoticllywose locl computtion cn yield significnt pefomnce impovements Despite the poo theoeticl compleity of ou scheme, we show vi concete implementtion tht it outpefoms ll pio ORAMs, even fo lge dtsets 54

3 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Due to the hevy influence of the FSS scheme nd the fct tht the computtion pties mke locl line scns of the memoy fo ech opetion, we cll ou ORAM constuction Function-secet-shing Line ORAM, o Flom As with most pio ORAM esech, ou implementtion is in the honest-ut-cuious dvesil setting We conjectue tht ou scheme cn e hdened moe esily thn othes due to its simplicity, ut we leve tht question fo futue wok Ogniztion The eminde of the ppe is ognized s follows: In Section, we eview definitions of techniques we use, including ORAM nd the ecently developed technique of Function Secet Shing In Section we constuct simple single-function ORAMs sed upon FSS, nd nlyze thei popeties, nd in Section 4 we comine nd etend these constuctions to yield fully functionl ORAM In Section 5 we pesent technique fo outsoucing the FSS computtion tht yields significnt pcticl speed incese ove nïve implementtion Finlly, in Section 6, we descie n implementtion of ou scheme nd evlute its pefomnce In the full vesion of this document [5] we give foml definitions nd secuity poofs BACKGROUND Secue Multi-pty Computtion The field of Secue Multi-Pty Computtion (MPC) studies mechnisms y which goup of individuls, ech individul i hving some secet input i, cn evlute function y = f (,, ) jointly, in such wy tht no pty i lens nything othe thn wht is eveled y the output y nd thei pivte input i Specificlly, pty i must neithe len ny j fo ll j i, no ny intemedite vlue deived fom j duing the evlution of f A specil cse of MPC is Two-Pty Computtion (PC), in which only two pties, Alice nd Bo, pticipte Though mny vitions of MPC hve een developed in its thityplus ye histoy, nd it is likely possile to dpt ou wok to suit significnt suset of them, this ppe focuses on Yo s Gled Cicuits [5, 5] Yo s Gled Cicuits confoms to the honest-ut-cuious o semi-honest secuity model, in which Alice nd Bo e tusted to follow the potocol instuctions, ut e cuious dvesies who my ttempt to len ech othes secets y nlyzing potocol tnscipts Outside oseves my lso nlyze potocol tnscipts, ut must len nothing in so doing Selective secuity fo Yo s Gled Cicuits in this model hs een poven y Lindell nd Pinks [], nd dptive secuity y Jfgholi nd Wichs [6] We povide stndd secuity definition in the full vesion of this document [5] Olivious RAM ORAM [9] is dt stuctue tht povides the fmili semntics of ndom ccess memoy, ut tnsltes the logicl ccess instuctions it eceives into sequences of physicl ccesses in such wy tht no dvesy cn ecove the logicl ccesses y oseving the physicl ccess pttens An ORAM must suppot the functions Red(i) nd Wite(i, v), which pefom semntic eds nd wites to loctions specified y pivte inde i An ORAM my lso suppot functions Apply(f, i,v), which pplies some function pivtely to single loction, nd Init(V ), which fills the ORAM with dt fom the y V As tditionlly defined, n ORAM must stisfy the secuity popety tht, fo ny two sequences of logicl ccesses of the sme length, tnscipts of the physicl ccesses poduced must e indistinguishle We concen ouselves with vint, Distiuted Olivious RAM (DORAM) [], which consides the contet wheein the undelying memoy is split mong multiple pties, nd which stisfies slightly weke secuity popety: fo ny two sequences of logicl ccesses of the sme length, tnscipts of the physicl ccesses pefomed y ny single pty must e indistinguishle Intuitively, no pty my len nything out the semntic memoy y oseving thei own she of the physicl memoy We povide foml definitions fo DORAM in the full vesion of this document [5] ORAMs e tditionlly consideed to hve some mnne of secue CPU tht tnsfoms semntic memoy ccesses into physicl ones In the setting of MPC, the CPU is typiclly implemented s multipty potocol Thus, in some sense, ll ORAMs ecome DORAMs when pplied to MPC: the constuctions s wholes cn e only s secue s the MPC potocols tht implement thei CPUs, nd no potocol cn e secue when ll pticipnts e coupt Fo simplicity, we efe to ou scheme s n ORAM, ecept whee the distinction is impotnt Function Secet Shing Secet Shing [7] llows dele to divide secet vlue into m shes, one fo ech of m pties, such tht none of the pties cn individully gin ny insight into the secet vlue, yet ll m shes, s goup, contin enough infomtion to econstuct it Recently, Gilo nd Ishi [7] oseved tht it is possile to secet-she point function using shes with sizes suline in the size of the function s domin; they cll this concept Distiuted Point Function (DPF) Boyle et l [, ] susequently impoved upon this wok nd descied how to constuct twoseve PIR scheme using DPF We egin y fomlly defining Function Secet Shing Scheme fo two pties Definition (Point Function) A point function is function f α, β : [, n] G such tht f α, β () = β if = α othewise Definition (Function Secet Shing Scheme fo Point Functions [, 7]) A two-pty function secet shing scheme is pi of Poilistic Polynomil Time lgoithms (Gen, Evl) of the following fom () Gen( λ, (α, β)) is key genetion lgoithm, which on input λ ( secuity pmete), nd desciption of point function function f α, β, outputs tuple of keys (k FSS, k FSS) () Evl(kp FSS, ) is n evlution lgoithm, which on input kfss p (pty key she fo pty p {,}), nd evlution point [, n], outputs goup element yp G nd it t p {, } such tht yp = f p () (pty p s she of f ()) nd tp is she of if f () =, o she of othewise Definition (Secuity fo n FSS Scheme fo Point Functions) A two-pty FSS fo point functions is secue if 55

4 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA () (Coectness) Fo ll point functions f α, β, nd fo evey [, n] in the domin of f α, β (k FSS, k FSS ) Gen(λ, (α, β)) = P [ Evl(k FSS, ) Evl(k FSS, ) = f ()] = () (Pivcy) Fo evey coupted pty p (eithe o ), nd evey sequence of point function desciptions f, f,, thee eists simulto Sim such tht: { (k FSS, k FSS } { } ) Gen(λ, f λ ) : kp FSS c Sim(p, λ ) λ N λ N In othe wods, the simulto cn poduce she (without knowing the function) tht is indistinguishle fom the el she fo the function Thus, the function she leks nothing out f α, β othe thn its domin nd the goup tht contins its nge We summize the FSS constuction of distiuted point function f α, β fom Boyle et l [, ] in Figue The Gen( λ, (α, β)) method poduces shes k FSS, k FSS of the point function f α, β These shes consist of one pivte seed ech (s, t nd s, t espectively), nd the est of the infomtion in the she is the sme fo oth pties The FSS scheme follows tee-sed constuction, wheein ech node of the tee is ssocited with seed, nd pseudo-ndom geneto (PRG) is used to doule the seed into two seeds, one fo the left child, nd one fo the ight At ech level j of the tee, Alice nd Bo will hve ectly the sme seed fo ll nodes ecept fo the node long the pth fom the oot to the lef α At this node, Alice nd Bo hve diffeent seeds, s j,α j nd s j,α j espectively, nd thus the epnsion of thei seeds esult in diffeent seeds fo the childen of this node t level j +, s j+,, s j+, nd s j+,, s j+, The scheme povides coection wod σ j nd two dvice its, τ j, nd τ j,, fo ech level σ j is conditionlly pplied to oth child seeds of node ccoding to t j = Ls(s j,α j p ) t j τ j,α j This modifies the child seeds such tht ftewd, Alice nd Bo she the sme seed fo ll nodes ecept fo the node long the pth to lef α Tht is, of the two childen of ech node long the pth to lef α, fo which Alice nd Bo s seeds diffe, one is dectivted (ie Alice nd Bo s seeds t tht position e mde identicl), nd the othe is not This coection is pefomed in such wy tht neithe pty cn detemine which nch hs een dectivted A Pivte Infomtion Retievl (PIR) system is mechnism y which client my etieve n item fom dtse eplicted mong some nume of seves, without eveling to ny seve which item ws etieved Though simil to ORAMs, PIR systems e notly distinct: they typiclly do not concen themselves with witing o with hiding the contents of the memoy fom the seves, they do not equie ny initiliztion o llow eogniztion of the dtse, nd they do not incu memoy oveheds fo the client o seves On the othe hnd, PIR schemes tke fo gnted tht seves must pefom O (n) wok fo ech ccess, whees ORAM litetue hs hitheto focused on poviding suline-in-n computtion compleity When comined with memoy encyption, PIR scheme my e thought of s n Olivious Red-only Memoy (OROM), nd we show how to constuct such pimitive fom FSS in Section function Gen( λ, α = α m α α, β ): s, s $ {, } λ // pick ndom seeds t, t ndom o she of 4 fo j [, m]: {( j, 5 s p sp j, )} p {,} { Pg ( s p j )} p {,} 6 σ j s j,α j s j,α j // o off-pth childen 7 τ j, Ls ( s j, ) ( ) j, Ls s αj 8 τ j, Ls ( s j, ) ( ) j, Ls s αj 9 { { j s p }p {,} { } j tp s j,α j p p {,} { Ls ( s α j p } tp j σ j ) j t p p {,} γ s m s m β k FSS ( s, t, {σ j, τ j,, τ j, } j [,m], γ ) k FSS ( s, t, {σ j, τ j,, τ j, } j [,m], γ ) 4 etun k FSS, k FSS 5 6 function Evl(k FSS p, = m ) τ j,α j } p {,} 7 // Pse key k FSS p s (s p, t p, {σ j, τ j,, τ j, } j [,m], γ ) 8 fo j [, m]: ( 9 s j, s j,) Pg ( s j ) s j s j, j t j σ j t j Ls ( s j, j ) t j τ j, j y s m t m γ etun y, t m Figue : Pseudocode fo the Function Secet Shing scheme Ou design follows Boyle et l [, ] SINGLE-FUNCTION MEMORY We egin y eplining how to constuct wite-only nd edonly ndom ccess memoies fom the FSS scheme descied in Section The constuctions pesented hee my e independently useful in scenios wheein simultneous ed nd wite cpilities e not needed; we comine them into full ORAM in Section 4 Olivious Wite-Only Memoy We fist constuct n Olivious Wite-Only Memoy (OWOM), sed on the folkloic technique of PIR-witing Both pties hold locl XOR-she of ech memoy loction; in ode to wite to loction i (this inde eing given s pivte dt within the MPC potocol), the secue computtion must detemine the diffeence, v, etween the vlue ledy stoed thee nd the vlue to e witten It must then use the FSS scheme to constuct distiuted point function tht evlutes to eveywhee ecept loction i, wheet the DPF evlutes to v Alice nd Bo individully evlute thei shes of the DPF, nd dd these shes into the memoy-shes tht they hold Becuse they e dding shes of zeo t ll loctions othe thn i, those vlues emin unchnged At inde i, they dd shes of the diffeence etween the old nd new vlues to shes of the old vlue, poducing shes of the vlue tht ws to e witten 56

5 Session C: Olivious RAM Alice CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Secue Computtion Alice Bo Secue Computtion i, k i,v W W W (kfss,kfss) Gen(λ,i,v ) kfss (y,t ) W' Evl(kFSS,) W y R R R (kfss,kfss) (y,t ) W' Evl(k,) FSS (y,t) v W y Gen(λ,i,β) kfss kfss W W W (y,t) R t v v v Wn Wn Rn Evl(kFSS,) R t Rn v Figue : Digm of Olivious Wite-only Memoy To pefom wite, the secue computtion genetes shes of DPF, k FSS nd kfss, which e distiuted to Alice nd Bo Alice nd Bo ech evlute the DPF t evey vlue [, n] nd XOR the esult into thei espective coesponding shes of the OWOM memoy R R R kfss Evl(kFSS,) Bo Pfk(i) v v v Figue : Digm of Olivious Red-Only Memoy To pefom ed, the secue computtion genetes shes of DPF, k FSS nd kfss, which e distiuted to Alice nd Bo Alice nd Bo ech evlute nomlized vesion of the DPF t evey vlue [, n], clculte the dot poduct of the nomlized DPF with thei espective copies of the OROM memoy, nd feed the esult ck into the secue computtion to compute the vlue v t loction i Moe pecisely, we epesent the vlue t memoy loction i s W i, nd pty p s she s Wpi, whee W i = Wi Wi To wite vlue W i into the memoy, the secue computtion clcultes v = W i W i nd then (kfss, kfss ) Gen(λ, (i, v )), deliveing kfss to Alice nd kfss to Bo, who use these keys to deive (yp, tp ) Evl(kpFSS, ) fo ll [, n] Fo the pupose of witing, the pties will ignoe tp nd use the min DPF output yp, which they XOR into the undelying memoy to pefom the wite, Wp Wp yp Becuse wite opetions e pefomed y cumultively XORing djustment vlues with ech W i, it is necessy to wite the diffeence etween the old nd new vlues, the thn witing the new vlue diectly In sence of ny mechnism fo eding (o othewise detemining which vlues e cuently stoed), this limits ou OWOM to use only in wite-only, wite-once situtions Howeve, it will ecome uilding lock fo full ORAM in the net section We depict this scheme in Figue Though this scheme pemits n unlimited nume of eds, it cnnot e witten Ech pty stoes -msked copy (ie n encyption) of the dt the thn secet she: wee ny single memoy loction to e chnged y wite, the ccess ptten would e eveled; on the othe hnd, if ll memoy loctions wee chnged duing wite, the semntic vlues of those not eing updted must e destoyed Compleity Anlysis Fo oth schemes, the secue FSS component (which foms the ulk of the secue computtion) is identicl The computtion of Gen(λ, (α, β )) equies 4 log (n) evlutions of the PRG function, long with some sic oolen opetions It must e seeded with ndom dt of length O (λ), nd it poduces n output of size O (λ log n) whee λ is the secuity pmete This output cn e eveled to the computtion pties ll t once, o incementlly, in log n chunks of λ its, one fo ech lye of the FSS scheme In the fome cse, the secue component incus memoy compleity of O (λ log n) nd O () communiction ounds In the ltte cse, the secue component incus memoy compleity of O (λ), nd no dditionl ounds, s the secue computtion does not need to wit fo eplies In eithe cse, the communiction nd computtion compleities e O (λ log n) Susequently, locl computtion is equied to constuct the DPF, (yp, tp ) Evl(kpFSS, ) fo ll [, n] If ll n FSS evlutions e comined into single opetion, then the FSS tee cn e constucted in its entiety only once, equiing O (n) PRG clls In the cse of wite, ech of the n elements in the output DPF s domin must e XORed into the coesponding memoy loction; in the cse of ed, the dot poduct of the DPF nd the memoy must e tken insted In eithe cse, this incus O (n) memoy ccesses All of the opetions pefomed y the locl FSS evlution nd the ppliction of the output DPF e highly pllelizle We mke Olivious Red-Only Memoy We implement ed-only memoy in mnne simil to clssic PIR constuctions Alice nd Bo, in thei oles s the PIR seves, ech hold identicl copies of the memoy, msked y the output of pseudo-ndom function () using key k tht is known to the secue computtion, ut not to Alice o Bo individully To ed n element R i fom the memoy t pivte inde i (gin, this inde is given s pivte dt within the potocol), Alice nd Bo engge in secue computtion potocol to clculte (kfss, kfss ) Gen(λ, (i, β )) Ech pty eceives kpfss nd uses it to clculte (yp, tp ) Evl(kpFSS, ) fo ll [, n] Although the DPF yp my hve n ity nge β, fo the pupose of eding, it is necessy tht they hold DPF of mgnitude Thus, the pties will use the finl dvice its, tp, which essentilly epesent sme DPF nomlized to {, } Both pties compute L the R Accoding to the popeties of ou FSS scheme, vp = t p since t = t fo ll, i, it follows tht v v = R i Finlly, Alice nd Bo use secue computtion to evlute Pf k (i) R i, effectively impoting the semntic vlue of inteest into the secue computtion We depict this scheme in Figue 57

6 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA W W W W n R' R' R' R' n W' W' W' W' W' n R' Alice Choose k Pf k () W W' W' W' k W' k W' R' Secue Computtion Bo Choose k Pf k () W W' W' W' W' W' W' n W W W W n R' R' R' Figue 4: Digm of the Flom Refesh method In ddition to the opetions illustted hee, the secue computtion must cle the stsh etensive use of this fct in ou concete implementtion, nd in Section 6 we show epeimentlly tht the locl component does not ecome significnt uden until the mount of dt stoed is on the ode of hundeds of megytes 4 READING AND WRITING We now comine the OWOM nd OROM fom Section into n ORAM constuction We need few uilding locks in ode to mke this comintion possile, nd conjectue tht these uilding locks e sufficient fo the comintion of ny PIR nd PIR-witing schemes into n ORAM, ssuming tht the schemes themselves e suitle (tht is, thei ccess pttens nd undelying memoy fomts e secue) At high level, the constuction woks s follows: we initilize oth n OROM nd n OWOM with the sme dt, nd cete line-scn stsh tht stoes elements while they e witing to e etuned to the min memoy Red opetions e pefomed y inspecting oth the stsh nd the OROM, nd etuning the most ecent dt Wite opetions e pefomed y fist eding the cuent vlue t the specified inde, using it to clculte the diffeence necessy to coectly updte the OWOM, nd finlly witing the new vlue into oth the OWOM nd the stsh When the stsh fills, we pefom efesh opetion to convet the OWOM memoy into OROM memoy, nd then cle the stsh The cost of this efesh cn e motized ove the efesh peiod of the constuction Becuse we use this stsh-nd-efesh technique, ou motized secue computtion compleity ecomes O( n) Refesh Pocedue To efesh ou ORAM constuction, we need to convet the undelying memoy of n OWOM into the undelying memoy of n OROM The fome stoes its dt s XOR-shes, while the ltte uses msked copy of the dt s the undelying R' n fomt We cn void incuing ny secue computtion ovehed t ll if, insted of msking the OROM memoy only once, using key known only to the secue computtion, we msk it fist with key known only to Alice, nd then with key known only to Bo To convet the OWOM into n OROM, Alice nd Bo msk thei locl OWOM memoy shes using two s with individul secet keys, k nd k W p { W p Pf k () W p p } [,n] They ech tnsmit thei msked OWOM memoy she to the othe pty, nd oth pties clculte R { R W W } [,n] Finlly, ech pty feeds thei key kp into the secue computtion, so tht the OROM memoy cn e unmsked vi v Pf k () Pf k () R This efesh pocedue is illustted in Figue 4 Unlike pevious Sque-oot ORAM constuctions [9, 55], ou efesh pocedue does not equie ccess to the stsh Insted, we simply cle it Ou stsh seves only the pupose of llowing updted elements to e ccessed multiple times etween efeshes Semi-pivte Access It my e the cse tht some lgoithms cll fo oth pivte (ie dt-dependent) nd dt independent ccesses to the sme memoy Ostovsky nd Shoup efe to the ltte type of ccesses s semi-pivte [4] To ou knowledge, it hs heetofoe een necessy to implement ll ccesses s fully pivte ccesses in such scenio, o to pefom costly impot nd epot opetions upon the entie ORAM Flom, howeve, llows fo secondy, semi-pivte ccess mechnism, which hs significntly educed symptotic nd pcticl cost Unlike ll othe ORAMs of which we e we, Flom stoes ech memoy element t the physicl ddess coesponding to its semntic inde Thus, to ed the element t the pulicly known semntic inde i, the two pties feed thei OWOM memoy shes W i nd W i into the secue computtion, which computes the vlue W i in O() compleity (nd potentilly using only fee gtes [8]) Semi-pivte wites must dditionlly ppend to the stsh Pivte Red Access Red opetions tht e pulicly known to e ed opetions cn lso e pefomed without invoking the full-ccess mechnism: neithe wite to the stsh no wite to the OWOM is equied Becuse no wite to the stsh is equied, ORAM eds do not contiute to the efesh peiod Full Pivte Access A full pivte ccess ccepts some ity olivious function f nd pplies it to single element within the ORAM f tkes n ORAM element nd some uiliy input v f, nd poduces new element nd some uiliy output y f We use this genel-pupose mechnism to implement ORAM wites vi simple f wite tht etuns v f s the output element To pefom full ccess, ou scheme fist etieves the desied element fom the OROM, then scns the stsh to detemine whethe newe vesion of the sme element eists f is then pplied to it Finlly, the esult is stoed using n OWOM opetion nd ppended to the stsh Becuse the OROM nd OWOM ccess the sme element, they cn she single FSS evlution This pocess is illustted in Figue 5 58

7 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA R R R R n W W W W n Alice v R t Secue Computtion i,f,v f,stsh,k,k FSS (k,k FSS ) Gen(λ,i,β) FSS (y,t ) Evl(k,) (y,t ) y' W' v Stsh k FSS v { v y v t W y' u if (j,u) Stsh : j = i Pf k (i) Pf k (i) v v othewise {{ }(j,u) (v',y f ) f(v,v f ) v = v' v β (, ) if j = i (j,u) othewise y f,stsh v Stsh y' k FSS v W' Evl(k FSS,) R t {(i,v')} v y v t W y' Bo R R R R n W W W Figue 5: Digm of the Flom Access method Note tht β is ndomly chosen on ech ccess Initiliztion The initiliztion of ou ORAM cn e pefomed efficiently using the mechnism fo efeshing tht we descied elie Tht is, ssuming tht the pties egin with some secet shing of the dt vlues with which the ORAM is to e filled, they my initilize it y copying those shes into the OWOM s memoy nd pefoming efesh If the ORAM is hosted y Yo s Gled Cicuits potocol, then the point-nd-pemute technique of Beve et l [4] cn e used to encode XOR shes of the dt within the potocol s wie lels, effectively mking the genetion of shes fee ction Futhemoe, ecuse this technique encodes the XOR shing of ech dt it only in the finl it of much lge wie-lel, it is ctully significnt constnt fcto fste to initilize ou ORAM thn it is to pefom single line scn on the sme dt To ou knowledge, this popety is unique mong ll known ORAMs Compleity Anlysis If we iefly set side the stsh, the compleities of ou scheme fo full ccess to pivte indices closely follow the compleities of the individul components descied in Section Tht is, ech ccess equies single FSS Gen eecution within the secue contet, incuing O(log n) communiction nd secue computtion, followed y the evlution of the DPF t ll points in its domin, incuing O(n) locl computtion y oth pties This is in tun followed y memoy scn fo the ROM component, dding futhe O(n) locl computtion, n unmsking within the secue computtion contet, which ccounts fo O() communiction nd secue computtion compleity, nd locl W n memoy scn fo the WOM component, which incus futhe O(n) locl computtion Thus, still ignoing the stsh, stndd ccess opetion incus O (log n) secue computtion nd communiction ovell, s well s O(n) locl computtion The stsh must e tvesed on ech ccess, nd its length depends upon the efesh peiod of the ORAM The efesh opetion equies simple msking (ie encyption), tnsmission, nd element-wise XOR of n memoy elements y ech of the two pties, without ny secue computtion Thus the totl cost of efesh is O (n) in tems of locl computtion nd communiction This is optimlly motized ove O ( n) ccesses, nd thus the cost of ech ccess must include the cost of scnning O ( n) elements in the stsh The optiml constnt cn e detemined y the eltive costs of secue nd locl scns Ou concete implementtion uses stsh of size n/8 A summy of these costs, long with compisons to othe ORAM schemes, is povided in Tle The symptotic compleity of ou initiliztion pocedue is O(n) in tems of locl computtion, memoy, nd communiction Like the efesh pocedue on which it is sed, it equies no secue computtion t ll This is optiml, t lest fom compleity stndpoint Futhemoe, s we shll see in Section 6, the pcticl costs of ou initiliztion pocedue e so low tht it is ctully fste in pctice thn simple memcpy ove the sme dt Compison to othe ORAM schemes Ou ORAM scheme stnds in contst to those tht hve peceded it in nume of espects, s summized in Tle Hee we discuss thei implictions We focus pimily on the secue component of ou scheme (which cnnot e pllelized), nd eploe the pcticl consequences of the locl component in Section 6 Although ou ORAM uses simple stsh tht incus sque-oot ovehed, it does not use ecusive position mps o pemuttions equied y Zhu et l s constuction [55], no does it need the soting nd iny seching equied y the clssic Goldeich nd Ostovsky constuction [9] Consequently, its optiml stsh size is much smlle Moeove, ou scheme cn e efeshed moe efficiently thn tht of Zhu et l, nd much moe efficiently thn clssic Sque-oot ORAM, which equies O(n) encyptions within the secue contet s well s n olivious sot fo ech efesh opetion In pevious Sque-oot ORAM constuctions, stsh scn nd motized efesh opetions ccounted fo the vst mjoity of pe-ccess cost; in hving povided symptotic impovements to oth (s well s significnt constnt cost impovements), we hve mde ou new ORAM f moe suitle thn its pedecessos fo hndling lge dt sizes On the othe hnd, ou ORAM equies O(log n) clls to PRG within the secue contet fo ech ccess Becuse these PRG clls e epensive, ou ORAM is less suitle thn tht of Zhu et l fo smll dt sizes In Section 5, we descie method fo educing the nume of secue PRG clls to O() t the cost of incuing O(log n) communiction ounds This significntly impoves ou pefomnce fo smll vlues of n, ut fo vey smll vlues, the constuction of Zhu et l emins moe efficient in pctice A compison to Cicuit ORAM (nd othe tee-sed ORAMs) is somewht less stightfowd Ou ORAM enjoys n initiliztion pocedue mny odes of mgnitude moe efficient; howeve, in tems of ccess compleity, Cicuit ORAM emins hed Nonetheless, s we shll discuss in Section 6, eduction in constnt costs 59

8 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Access Initiliztion Flom Floom Sque-oot Cicuit Flom Floom Sque-oot Cicuit Secue Comp O ( n) O (log n) O ( n log n) O (log n) O (n log n) O (n log n) Locl Comp O (n) O (n) O ( n log n) O () O (n) O (n) O (n log n) O () Communiction O ( n) O (log n) O ( n log n) O (log n) O (n) O (n) O (n log n) O (n log n) Rounds O () O () O (log n) O (log n) O () O () O (log n) O (n log n) Tle : Access nd Initiliztion Compleities Compleities include motized efesh opetions whee elevnt Floom efes n instntition of Flom with stsh size of zeo (ie one which hs ecently een efeshed); due to the fct tht only wites incese the stsh size, efeshes cn e foced efoe long sequences of eds to chieve these compleities endes ou scheme f moe efficient in pctice Boyle et l [] popose plleliztion method fo tee-sed ORAMs, fom which it is possile to deive n initiliztion pocedue tht uses pemuttions in plce of individul wites With this mechnism, Cicuit ORAMs could chieve initiliztion pefomnce simil to tht of Zhu et l s constuction, t est Although the locl component of ou ORAM is highly pllelizle, no equivlent plleliztion scheme fo ou secue component is possile Finlly, it is wothwhile to cknowledge the distinctions etween ou scheme nd the ecent wok of Ahm et l [], which lso comined ORAM with PIR Like Flom, thei scheme is popely Distiuted ORAM, ut in contst, thei scheme uses PIR to etieve single elements long the nches of lge ecusive tee ORAM Consequently, it shes moe with Cicuit ORAM nd Onion ORAM [5] thn it does with ou scheme They optimize fo communiction ovehed, nd thei scheme chieves communiction compleity of O (log n) pe ccess, which we cn mtch only when no wites e pefomed Futhemoe, it is likely tht PIR-seve computtion is significntly less udensome in thei scheme, since thei PIR equies no PRG nd is evluted ove only O(log n) elements On the othe hnd, they pimily conside the outsoucing model, nd do not ccount fo costs in n MPC contet We find it likely 4 tht these would e simil to Cicuit ORAM Secuity Anlysis To gue tht ou scheme is semi-honest secue, we must pesent simulto tht poduces pty s view of n ORAM opetion (without eceiving ny infomtion out othe pties pivte inputs) tht is indistinguishle fom the sme pty s view of the el ORAM opetion Simultos fo ccess nd initiliztion, long with poofs of computtionl indistinguishility, e pesented in the full vesion of this document [5] Infomlly, the secuity of ou scheme follows fom the secuity popeties of the MPC technique chosen to host the constuction nd the secuity of the FSS scheme, which guntees tht the neithe the FSS key she no the output leks ny infomtion out the ssocited point function, othe thn its domin nd nge The undelying memoy itself evels nothing out its contents due to its mechnism of epesenttion: ech pty views n OROM memoy tht is msked y the output of fo which they key is not This mechnism hs not yet een implemented, so we cnnot cuently povide concete dt to suppot this clim 4 As we hve no implementtion of thei scheme (MPC-oiented o othewise), we cnnot pefom pcticl evlution known, s well s n infomtion-theoeticlly secue secet-she of n OWOM memoy PRG nd Among sevel options fo the PRG, we hve chosen AES-8 [] Significnt esech effot hs een put towd optimizing the oolen-cicuit epesenttion of AES [8, 49], nd these optimiztions hve ntully een dpted fo the contet of secue computtion [4] Specificlly, we use the AES S-o cicuit of Boy nd Pelt [9], which equies less thn 5 non-fee gtes pe lock, nd we ccelete locl AES evlutions using Intel s AES-NI instuction set In ode to void the cost of epeted key epnsion, we ssume tht AES stisfies the idel ciphe popety nd use the Dvies-Meye constuction [48], with independent keys fo left nd ight epnsions in the FSS tee We use AES in counte mode s the tht msks the OROM 5 CONSTANT SECURE PRG EVALUATIONS The costliest single component of ou scheme is the epeted evlution of the PRG function within the secue computtion of the FSS Gen lgoithm In this section, we pesent n optimiztion tht cn e used to chieve significnt constnt-fcto speed impovement eltive to nïve implementtion y outsoucing the evlutions of the PRG in the FSS Gen lgoithm to Alice nd Bo Tht is, insted of Alice nd Bo pefoming single secue computtion which uses O(log n) PRG epnsions to compute thei shes of the FSS key (line 5 in Figue ), we insted divide Gen into m = log n itetive computtions tht compute the FSS key one pt t time Supisingly, we cn divide the computtion in mnne tht equies no PRG evlutions inside the secue computtion, nd tht lso mintins the secuity popeties of the oiginl 5 Specificlly, we devise n equivlent method of computing the vlue σ j (line 6 in Figue ) tht does not equie the PRG to e evluted in secue computtion Heefte, we efe to this s the Constnt PRG o CPRG optimiztion Thus f, ou FSS nottion hs only identified seeds s j,α j p tht e on the pth fom the oot to the lef α in the FSS evlution tee We now intoduce nottion to identify ll of the nodes in the evlution tee Let Sp j,l denote the l th node fom the left t level j of plye p s FSS evlution tee, whee p {, }, j [, m], nd 5 ie, we will still e le to simulte the view of Alice o Bo given only the output of the function Notice tht we would not e le to simulte the view if ou potocol simply sked Alice nd Bo to evlute line 5 in Figue 5

9 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA (s s) Pg(Rng()) t s,t σ τ,τ s,t t' s,t' Bo σ,τ,,τ, z, z, z, z, z, z, σ z,α τ, Ls(z,) α τ, Ls(z,) α σ,τ,,τ, σ,τ,,τ, σ,γ τ,,τ, y,t y,t y,t y4,t4 y5,t5 y6,t6 y7,t7 y8,t8 σ,γ τ,τ s'',t' z, z, z z, s t σ Ls(s) t τ s'' s' t' γ s' σ,γ τ,τ z, z, z, z, z, z, σ z,α τ, Ls(z,) α τ, Ls(z,) α, σ τ,τ z, z, z, z, α,β s,t Secue Computtion s,t s' s t σ (s s) Pg(s') t' Ls(s) t τ s,t' Alice z, z, z, z, z, z, σ z,α τ, Ls(z,) α τ, Ls(z,) α γ z,α σ β z, z, σ,τ,,τ, z z,, σ,γ τ,,τ, y,t y,t y,t y4,t4 y5,t5 y6,t6 y7,t7 y8,t8 Figue 6: Digm of the modified Gen/Evl lgoithm used y the CPRG optimiztion Viles nd pocesses fo which Alice nd Bo s views e identicl e endeed in lck Viles nd pocesses fo which Alice nd Bo s views diffe e endeed in ed fo Alice nd lue fo Bo In this emple, n = 8, m =, nd α is thee-it nume with vlue 6 j,α j,α ℓ [, j ) Thus, seed s j cn lso e identified s node S j whee α j is the intege with the iny epesenttion α j α α Net, we oseve tht the FSS constuction guntees tht t j, ℓ j, ℓ ny level j, S = S fo ll ℓ, α (tht is, fo ll nodes ecept j,α j,α the one long the pth to lef α), nd S j, S j It follows tht ll of the PRG epnsions of the nodes t level j, ie, the uncoected childen t level j +, e equl ecept fo the two childen of the node long the pth to α Finlly, conside the sum of the PRG j, ℓ epnsions of Sp fo ℓ [, j ): Fom the ove, we hve: j, j, j, j, z z = s s j, j, j, j, z z = s s j,α j σ j = z j,α j z j, j, Thus, we instuct Alice nd Bo to loclly compute zp nd zp y ccumulting the XOR of ll left childen nd ll ight childen t ech level These two vlues e sumitted to secue computtion, which selects the coect sum using it α j, computes the net dvice wods (σ j, τ j,, τ j, ) nd etuns them to oth pties Both pties cn then pply these vlues (pe lines 9 in Figue ) to M j+, j+, j, ℓ zp zp = Pg Sp ℓ [, j ) 5

10 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA function Gen( λ, α = α m α α, β ): S,, S, $ {, } λ // pick ndom seeds t,, t, ndom o she of 4 fo j [, m]: 5 fo p {, }: // locl computtions {( 6 Sp j,l { ( S p j,l+ )}l [,j ) Pg S p j, l ( ) 7 zp j, l [, j ) S p j,l ( ) 8 zp j, l [, j ) S p j,l+ 9 σ j z j,α j τ j, Ls ( z j, τ j, Ls ( z j, z j,α j // o off-pth childen ) ( ) j, Ls z αj ) ( ) j, Ls z αj )} l [, j ) fo p {, }: // locl computtions { S p j, l }l [,j { } Sp j, l j, l/ tp σ j ) l [, j ) { 4 tp j, l }l [,j { ( ) } Ls Sp j, l j, l/ tp τ j,ls(l) ) l [, j ) 5 γ z m,αm z m,αm σ m β 6 k FSS ( S,, t,, {σ j, τ j,, τ j, } j [,m], γ ) 7 k FSS ( S,, t,, {σ j, τ j,, τ j, } j [,m], γ ) 8 etun k FSS, k FSS Figue 7: Pseudocode fo the Constnt PRG optimiztion pplied to the FSS Gen method This optimiztion is discussed in Section 5 genete the coected seeds fo ll nodes t the net level, nd then continue the pocess until level m Revised pseudocode is pesented in Figue 7 Although we model this function s etuning pi of key vlues (k FSS, k FSS ), note tht most components of ech pty s key e eveled to them ove the couse of the function, nd futhemoe, tht oth pties will hve hd to pefom most of the wok of evluting Evl(kp FSS, ) fo ll [, n] in ode to clculte (zp j,, zj, p ) Consequently, in pctice, the CPRG-optimized Gen lgoithm etuns only those key components tht hve not ledy een eveled, nd Alice nd Bo evlute Evl simultneously with the evlution of Gen This pocess is illustted in Figue 6 Secuity Anlysis Reltive to the oiginl Gen lgoithm, nothing dditionl is eveled to eithe pty, ie, the output of the CPRGoptimized Gen is ectly the sme, nd the view of ech pty cn e esily simulted with the finl key The only diffeence is tht the dvice stings included in the output key e eveled one y one In the honest-ut-cuious setting tht we conside hee, the dvesy hs no dditionl powe when eceiving outputs in this mnne Efficiency Anlysis The CPRG optimiztion equies no clls to the PRG function within the secue evlution of Gen, nd only two clls to the to unmsk the vlue etieved fom the OROM We still pefom O(log n) diffeencing nd dvice it genetion steps, ut these equie only hndful of gtes ech On the othe hnd, ou locl stge now equies eduction to e pefomed ove ll of the locks in ech lye of the FSS Evl lgoithm Consequently, this vint is significntly moe efficient fo smll nd medium sized memoies, whee secue computtion domintes totl untime, ut slightly less efficient fo memoies on the scle of gigytes, s shown y ou evlutions in Section 6 6 EVALUATION Epeimentl Setup We implemented nd enchmked Flom, using Oliv-C [5], C deivte tht compiles nd eecutes Yo s Gled Cicuits potocols [5] with mny potocol-level optimiztions [4, 5, 4, 8, 54] Additionlly, we mde use of Oliv-C-sed Sque-oot nd Cicuit ORAM implementtions tht wee povided y the oiginl uthos of those woks nd e identicl to the ones epoted on peviously y Zhu et l [55] We ceted two vints of ou ORAM, one using the sic constuction descied in Section 4, nd the othe using the CPRG method fom Section 5 Both vints hve optimized scheduling, s descied in the full vesion of this document [5] Ou concete implementtion uses 8 it lock size, this eing the lock size of AES-8, ou chosen PRG function Fo ORAMs with element sizes smlle thn 8 its, we pck multiple elements into single lock nd linely scn them Fo ORAMS with element sizes gete thn 8 its, we pefom n dditionl epnsion nd coection stge fte the lst lye of the FSS in ode to enlge the locks to the coect length Ou enchmks wee pefomed unde Uuntu 64 with Linu kenel it, unning on pi of identicl Amzon EC R44lge instnces All code ws compiled using gcc vesion 54, with the -O flg enled, OpenMP ws used to mnge multitheding nd SIMD opetions, nd locl AES computtions wee implemented using Intel s AES-NI instuctions Ech mchine hd GB of DDR4 memoy nd eight physicl coes ptitioned fom n Intel Xeon E5-686 v4 CPU clocked t GHz, ech coe eing cple of eecuting two theds We mesued the ndwidth etween ou two instnces to e oughly fou gigits pe second In ode to ensue tht the secue computtion would e ndwidthound, s we would epect it to e in el-wold conditions, we tificilly esticted the ndwidth to 5 megits pe second, using the linu tool tc Multitheding Ou two Flom implementtions mke etensive use of multitheding fo thei locl components, ut we hve not ttempted to multithed thei secue components, no hve we multitheded the othe ORAMs ginst which we mke compisons Multitheding secue computtion does not educe the totl communiction etween pties, nd thus in ndwidthound envionments povides no dvntge Neithe Sque-oot no Cicuit ORAM pefoms significnt locl computtion, nd so they cnnot enefit significntly fom locl pllelism 6 Full ORAM Micoenchmks Full Access We pefomed single-ccess micoenchmks fo Flom, s well s Flom with the CPRG optimiztion discussed in Section 5 Fo the pupose of compison, we lso pefomed enchmks fo the Sque-oot ORAM of Zhu et l [55], Cicuit 5

11 Session C: Olivious RAM CCS 7, Octoe -Noveme, 7, Dlls, TX, USA Nume of Elements Nume of Elements () Access Communiction Nume of Elements (c) Access Yo Gtes Communiction (ytes) Eecution Time (seconds) () Access Wll-clock Time Non-fee Gtes Communiction (ytes) Eecution Time (seconds) Nume of Elements (d) Initiliztion Wll-clock Time Flom 9 Flom CPRG 8 Cicuit ORAM 7 Sque-oot ORAM 6 Line Scn Nume of Elements (e) Initiliztion Communiction (f) Legend Figue 8: Micoenchmk Results Access figues e veges fom t lest smples; fo efeshing ORAMs, the smple count ws multiple of the efesh peiod Initiliztion figues e veges fom smples Fo ll enchmks, elements wee 4 ytes in size ORAM [4], nd line scn Fo ll ORAMs, we used n element sizes of 4 ytes Fo line scn, we vied the nume of ORAM elements etween 5 nd, nd fo Sque-oot ORAM, etween 5 nd In oth cses, this is f pst the nge in which those schemes e competitive Fo Cicuit ORAM, we pefomed enchmks with up to 4 4-yte elements, coesponding to 64 MiB of dt; eyond this the ORAM s physicl size ws so lge tht it could not e instntited on ou mchine We enchmked Flom with sizes up to 4-yte elements, coesponding to 6 GiB of dt; these wee the lgest instnces tht ou mchine could hndle We ecoded the wll-clock times fo oth pties, the nume of ytes tnsmitted, nd the nume of non-fee Yo gtes eecuted Ou esults e epoted in Figues 8, 8, nd 8c, espectively As we epected, the wll-clock time of ou scheme ehiits piecewise ehvio Up to oughly 5 4-yte elements, secue computtion (specificlly, the FSS Gen lgoithm) domintes the totl ccess time, nd thus the time gows with O (log n) noticely moe slowly thn ny othe ORAM In this egion, s epected, the CPRG optimiztion leds to significnt concete pefomnce gin, mounting to oughly fou-fold impovement Beyond 5 elements, locl computtion ecomes the dominnt fcto, nd thus the wll-clock time gows with O (n) nd the stndd FSS scheme ecomes moe efficient We estimte tht the ek-even point with Cicuit ORAM lies t elements Initiliztion We lso pefomed initiliztion enchmks Tht is, eginning with n y of dt, we evluted ech constuction s ntive mechnism fo impoting tht dt into fesh ORAM instnce As efoe, we vied the nume of elements fo line scn etween 5 nd, nd fo Sque-oot ORAM etween 5 nd Cicuit ORAM hs the slowest initiliztion pocess y sevel odes of mgnitude, nd so we enchmked only up to 4 elements, fte which continuing ws impcticl Both vints of Flom she the sme initiliztion pocedue, nd we tested instnces up to the lgest size tht ou mchines suppoted: 4-yte elements, o 6 GiB of dt in totl Results fo wll-clock time nd totl communiction e epoted in Figues 8d nd 8e espectively; gte counts e not epoted, s ou ORAM equies no gtes to initilize As we epected, ou ORAM hs cle symptotic dvntge ove othe schemes in tems of initiliztion Moeove, t elements, it hs -fold concete pefomnce dvntge ove Sque-oot ORAM, the fstest peviously known constuction in this espect In fct, in the contet of gled cicuits, ou constuction even initilizes somewht fste thn line scn, which equies only simple memcpy y ech pty Thus, so long s single ccess in ou scheme is fste thn single line scn, the efficiency ek-even point etween the two is ectly one ccess 5