180 likes | 280 Views
CS7380: Privacy Aware Computing. Oblivious RAM. Motivation. Starting from software protection Prevent from software piracy A valid method is using hardware key to protect the validity of the software; hardware key cannot be duplicated
E N D
CS7380: Privacy Aware Computing Oblivious RAM
Motivation • Starting from software protection • Prevent from software piracy • A valid method is using hardware key to protect the validity of the software; hardware key cannot be duplicated • Still the memory access between the HW and SW components can leak information • Attacker can deceive or skip the checking with the HW component
Oblivious RAM definition • How to protect from observing memory access pattern? • Memory access is probabilistic • The probabilistic distribution is independent of the input
First solution: the square-root algorithm • For each accesses, randomly permute the first m+ memory • For accessing a word, check the sheltered words first. If it is there, we • access one of the dummy words • 2. If it is not there, find the permuted location (i). • t steps of original RAM access can be simulated with t+sqrt(m) steps ORAM
Key operation • Oblivious random permutation • Random mapping f: {1,2,..,n} -> {1,2,..,nlogn}, so that (i)=k if f(i) is the k-smallest in f(1)..f(n) • Using Batcher’s Sorting Network to sort permuted tags f(i) – the sequence of access if fixed, independent of input • binary search over the sorted tags f(i) to find (i)
Cost analysis • Per access cost :
The hierarchical algorithm • Each memory cell is modeled as (Vi, Xi) • Vi is the location, Xi is the value • Basic idea • Consider the shelter memory as a buffer; extend it to multiple levels of buffers • Use oblivious hash function
Setting • each level i has 4i buckets • Each bucket has log t items, where t is the total number of accesses by the current program • Total number of levels N = 1+ ceil(log4 t) • Each level has a randomly selected hash function
Initially • Load program to the N level, which has 4t buckets • For each level • If (V, X) is already found, randomly pick a bucket to access • Otherwise, check the bucket h_i(V) • Put (V, X) to the 1st level (may cause overflowing to the lower levels). • If the first i levels are full, move all 1 to i levels to i+1 levels and empty the first i levels
Reading • Check the bucket h_i(V) from each level i • Only one real match • Remaining are dummy entries dummy real dummy dummy dummy dummy Client Server
Writing • Chose a new hash for level i+1, • Shuffle consecutively filled levels. • Write into next unfilled level. • Clear the source levels Server (after) Client Server (before) shuffle values
Cost analysis • time cost: • Each level cost O(log t), total log t levels • Cost per access: O((log t)2) • Hashing cost: O(t(log t)3) • Storage cost (t log t)
Improved schemes • Paper: oblivious ram revisited • Improvement • Storage O(n) • Time O((log n)2) • In context of cloud computing • Key idea • Using Cuckoo hashing • Mapping n items to 2(1+e)n bins and at most a signle item is mapped into a bin • Reduce storage to O(n) • Randomized shell sort
Williams and Sion solution • Usable PIR. In NDSS, 2008. • Use O(sqrt(n)) secure client side memory and oblivious merge sort to improve the performance to O((log n)2) • Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage. In ACM CCS,2008 • Use Bloom Filter to further improve the performance to O(logn*loglog n)
A number of methods Pinkas and Reinman
Remaining challenges • Storage cost • Reshuffling • Client-server interactions
Most recent development • http://www.emilstefanov.net/Research/ObliviousRam/ • Oblivious storage