Asymptotically Tight Bounds for Composing ORAM with PIR [chapter]

Ittai Abraham, Christopher W. Fletcher, Kartik Nayak, Benny Pinkas, Ling Ren
2017 Lecture Notes in Computer Science  
Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted client to outsource storage to an untrusted server while hiding the client's memory access patterns to the server. The last three decades of research on ORAMs have reduced the bandwidth blowup of ORAM schemes from O( √ N ) to O(1). However, all schemes that achieve a bandwidth blowup smaller than O(log N ) use expensive computations such as homomorphic encryptions. In this paper, we achieve a sub-logarithmic bandwidth
more » ... of O(log d N ) (where d is a free parameter) without using expensive computation. We do so by using a d-ary tree and a two server private information retrieval (PIR) protocol based on inexpensive XOR operations at the servers. We also show a Ω(log cD N ) lower bound on bandwidth blowup in the modified model involving PIR operations. Here, c is the number of blocks stored by the client and D is the number blocks on which PIR operations are performed. Our construction matches this lower bound implying that the lower bound is tight for certain parameter ranges. Finally, we show that C-ORAM (CCS'15) and CHf-ORAM violate the lower bound. Combined with concrete attacks on C-ORAM/CHf-ORAM, we claim that there exist security flaws in these constructions. Oblivious RAM is a cryptographic primitive that allows a client to privately outsource storage to an untrusted server without revealing any information about its data accesses, i.e., the server learns nothing about the data or the sequence of addresses accessed. It was first proposed by Goldreich and Ostrovsky [22, 23] . Since the initial theoretical work three decades ago, there has been a lot of effort to improve ORAMs either as a stand-alone primitive [2, 9, 12, 19, 24, 25, 27, 37, 39, 40, 42, 44, 48, 51, 53, 58] or for applications including secure outsourced storage [3, 33, 41, 49, 50, 59] , secure processors [15-17, 36, 43, 45, 46] and secure multi-party computation [20, 34, 35, 54, 55, 60] . The standard ORAM model assumes the server to be a simple storage device that only supports read and write operations. In this model, numerous works have improved the bandwidth blowup (or bandwidth overhead) -the amount of communication between the client and the server relative to an insecure scenario that does not protect access patterns -from O(log 3 N ) to O(log N ) where N is the number of logical data blocks. But none could achieve sub-logarithmic bandwidth blowup so far. In this sense, though not provably insurmountable [5], the Ω(log N ) bandwidth blowup barrier does seem hard to surpass. To this end, a line of work deviates from the standard model and assumes the existence of two non-colluding servers [34, 41, 49] with inexpensive server computation (e.g., XOR) or no server computation. But these constructions have been unable to surpass the Ω(log N ) bandwidth blowup barrier. Another line of work allows the server to perform some computation. The most recent works involving server computation achieved O(1) bandwidth blowup [2, 12, 39, 40] . But this improvement in bandwidth comes with a huge cost in the amount of server computation. In both Apon et al. [2] and Devadas et al. [12] , the server runs the ORAM algorithm using homomorphic encryption (fully homomorphic and additively homomorphic, respectively) with little client intervention. In practice, in both schemes, the time for server computation will far exceed the time for server-client communication and become the new bottleneck. Thus, the state of the art leaves the following natural question: Can we construct a sub-logarithmic ORAM without expensive computation? A recent construction called CHf-ORAM [39] claims to have solved the above challenge by combining ORAM with private information retrieval (PIR). Using four non-colluding servers, CHf-ORAM claims to achieve O(1) bandwidth blowup using simple XOR-based PIR protocols. However, we realized that there exist security flaws in CHf-ORAM and its predecessor C-ORAM [40] . We give two concrete attacks on a slight variant of C-ORAM, highlighting some subtleties that the current C-ORAM proof does not capture. Private information retrieval (PIR) and Oblivious RAM (ORAM) are two closely related concepts, and they both hide access patterns. In fact, PIR is frequently applied to ORAM constructions to improve bandwidth blowup [37, [39] [40] [41] 61] . This led us to ask the following question: What is the asymptotically optimal bandwidth blowup one can achieve by using PIR in an ORAM construction? In order to answer this question, we build on the seminal work of Goldreich and Ostrovsky [23] and derive a Ω(log cD N ) bandwidth lower bound for ORAMs that leverage only PIR and PIR-write on top of the traditional model. Here, c is the number of blocks stored by the client and D is the number of blocks on which PIR/PIR-write operations are performed. C-ORAM and CHf-ORAM violate this lower bound, and thus cannot be secure. Given the insecurity of C-ORAM and CHf-ORAM, the former question remains open. We then positively answer the former question with a concrete and provably secure construction. Our construction relies on a d-ary ORAM tree and a private information retrieval (PIR) protocol involving two non-colluding servers,
doi:10.1007/978-3-662-54365-8_5 fatcat:adzojsnhwnan3dlwu57zdyxzoq