TY - GEN
T1 - Asymptotically tight bounds for composing ORAM with PIR
AU - Abraham, Ittai
AU - Fletcher, Christopher W.
AU - Nayak, Kartik
AU - Pinkas, Benny
AU - Ren, Ling
N1 - Publisher Copyright: © International Association for Cryptologic Research 2017.
PY - 2017
Y1 - 2017
N2 - Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted client to outsource storage to an untrusted server while hiding the client’s memory access patterns to the server. The last three decades of research on ORAMs have reduced the bandwidth blowup of ORAM schemes from O(√N) to O(1). However, all schemes that achieve a bandwidth blowup smaller than O(logN) use expensive computations such as homomorphic encryptions. In this paper, we achieve a sub-logarithmic bandwidth blowup of O(logd N) (where d is a free parameter) without using expensive computation. We do so by using a d-ary tree and a two server private information retrieval (PIR) protocol based on inexpensive XOR operations at the servers. We also show a Ω(logcD N) lower bound on bandwidth blowup in the modified model involving PIR operations. Here, c is the number of blocks stored by the client and D is the number blocks on which PIR operations are performed. Our construction matches this lower bound implying that the lower bound is tight for certain parameter ranges. Finally, we show that C-ORAM (CCS 15) and CHf-ORAM violate the lower bound. Combined with concrete attacks on C-ORAM/CHf-ORAM, we claim that there exist security flaws in these constructions.
AB - Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted client to outsource storage to an untrusted server while hiding the client’s memory access patterns to the server. The last three decades of research on ORAMs have reduced the bandwidth blowup of ORAM schemes from O(√N) to O(1). However, all schemes that achieve a bandwidth blowup smaller than O(logN) use expensive computations such as homomorphic encryptions. In this paper, we achieve a sub-logarithmic bandwidth blowup of O(logd N) (where d is a free parameter) without using expensive computation. We do so by using a d-ary tree and a two server private information retrieval (PIR) protocol based on inexpensive XOR operations at the servers. We also show a Ω(logcD N) lower bound on bandwidth blowup in the modified model involving PIR operations. Here, c is the number of blocks stored by the client and D is the number blocks on which PIR operations are performed. Our construction matches this lower bound implying that the lower bound is tight for certain parameter ranges. Finally, we show that C-ORAM (CCS 15) and CHf-ORAM violate the lower bound. Combined with concrete attacks on C-ORAM/CHf-ORAM, we claim that there exist security flaws in these constructions.
UR - http://www.scopus.com/inward/record.url?scp=85014479389&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-662-54365-8_5
DO - https://doi.org/10.1007/978-3-662-54365-8_5
M3 - منشور من مؤتمر
SN - 9783662543641
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 91
EP - 120
BT - Public-Key Cryptography – PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Proceedings
A2 - Fehr, Serge
PB - Springer Verlag
T2 - 20th IACR International Conference on Practice and Theory of Public-Key Cryptography, PKC 2017
Y2 - 28 March 2017 through 31 March 2017
ER -