CacheShuffle: A Family of Oblivious Shuffles

Sarvar Patel, Giuseppe Persiano, Kevin Yeo, Michael Wagner
2018 International Colloquium on Automata, Languages and Programming  
We consider oblivious two-party protocols where a client outsources N blocks of private data to a server. The client wishes to access the data to perform operations in such a way that the access pattern does not leak information about the data and the operations. In this context, we consider oblivious shuffling with a focus on bandwidth efficient protocols for clients with small local memory. In the shuffling problem, the N outsourced blocks, B 1 , . . . , B N , are stored on the server
more » ... g to an initial permutation π. The client wishes to reshuffle the blocks according to permutation σ. Oblivious shuffling is a building block in several applications that hide patterns of data access. In this paper, we introduce a generalization of the oblivious shuffling problem, the Koblivious shuffling problem, and provide bandwidth efficient algorithms for a wide range of client storage requirements. The task of a K-oblivious shuffling algorithm is to shuffle N encrypted blocks that were previously randomly allocated on the server in such a way that an adversarial server learns nothing about either the new allocation of blocks or the block contents. The security guarantee must hold when an adversary has partial information on the initial placement of a subset of K ≤ N revealed blocks. The notion of oblivious shuffling is obtained for K = N . We first study the N -oblivious shuffling problem and start by presenting CacheShuffleRoot, that is tailored for clients with O( √ N ) blocks of memory and uses approximately 4N blocks of bandwidth. CacheShuffleRoot is a 4x improvement over the previous best known N -oblivious shuffle for practical sizes of N . We then generalize CacheShuffleRoot to CacheShuffle that can be instantiated for any client memory size S and requires O(N log S N ) blocks of bandwidth. Next, we present K-oblivious shuffling algorithms that require 2N +f (K, S) blocks of bandwidth for all K and a wide range of S. Any extra bandwidth above the 2N lower bound depends solely on K and S. Specifically, for clients with O(K) blocks of memory, we present KCacheShuffleBasic that uses exactly 2N blocks of bandwidth. For clients with memory S ≤ K, we present KCacheShuffle, that requires 2N + O(K log S K) blocks of bandwidth. Finally, motivated by applications to ORAMs, we consider the case where the server stores D dummy blocks whose contents are irrelevant in addition to the N real blocks. For this case, we design algorithm KCacheShuffleDummy that shuffles N + D blocks with K revealed blocks using O(K) blocks of client storage and approximately D + 2N blocks of bandwidth. ACM Subject Classification Security and privacy → Management and querying of encrypted data, Security and privacy → Privacy-preserving protocols, Information systems → Data encryption
doi:10.4230/lipics.icalp.2018.161 dblp:conf/icalp/PatelPY18 fatcat:w6rwu7uyu5ht7nsmxynfquewoa