Upload
debra-goodwin
View
218
Download
0
Embed Size (px)
Citation preview
1
Oblivious Data Structures
Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang
2
• Emails• Photos• Videos• Financial data• Medical records• Genome data
……
Sensitive Data in the Cloud
Encrypt your data!
6
Oblivious RAM is a cryptographic primitive for provably obfuscating
access patterns to data.
Hierarchical ORAMs
[Goldreich’87]
[GO’96][KLO ’12]
Tree-based ORAM
[SCSL’11][Path
ORAM’13]
7
How do ORAMs obfuscate access patterns to data?
Intuition: 1. Move blocks around2. For every single access to memory block, access many blocks.
8
Path ORAM achieves O(log2 N) blowup for small blocks [SDSCFRYD’13]
N = 230 (1 Giga) c = 8
N: Number of memory blocks,c: constant for Path ORAM
c log2 N = 7200
Access about 7200 memory blocks per blocki. Schemes with better asymptotics [KLO’12]ii. Path ORAM with larger block size performs better
10
computeFrequency(arr[]):For each x in arr:
freq := mem[x]mem[x] := freq +
1
…
…
9
…
…
…
2
…
…
…
…
10
…
55
59
64
56
57
62
61
60
58
63
65
54
53
52Access Pattern Graph for a RAM
program10
55 59 60 85 59 55 64 67 55 61arr[]
Blowup: O(log2 N / log log N) [KLO’12]
mem[]
11
Some real world programs may have limited access patterns due to:1. Inherent structure in the data or2. Locality of accesses
Bounded-degree trees
Trees, Stack, Queue, Heap
Blowup: O(log N)
Access pattern graphs with low
doubling dimensions
Linked list, Deque, 2-dim Grid
Blowup: O(12d log2-
1/d N)d=1: O(log N)
d=2: O(log1.5 N)(d: doubling dim)ORAM: O(log2 N / log log N) [KLO’12]
13
Access Pattern Graph for a Stack
5
6
9
65
45
23
2
1
10
push(stack, value)value := pop(stack)
55
59
56
57
62
6160
58
54
53 3
14
search(x, root):while(true):
if x = root.datareturn root
else if x < root.data
root := root.left
else root := root.right
6
82
9741
Access Pattern Graph for a Binary Search Tree
For structures with tree-like access
patterns, we achieve a blowup of O(log N)
Oblivious RAM achieves O(log2N/log log N) [KLO’12]
16
Access Pattern Graph on a Grid-like Structure
After k accesses, the farthest you can go is k
hops away
Accesses show “locality”
For the grid structure, we
achieve a blowup of O(log1.5 N)
Oblivious RAM achieves O(log2N/log log N)
For linked list and deque, we achieve
a blowup of O(log N)
For graphs with low doubling
dimensions, we achieve a blowup of
O(12d log2-1/d N)d: doubling dimension
Oblivious RAM achieves O(log2N/log log N)
Bounded degree trees
Pointer-based
technique
Access pattern graphs
with low doubling
dimensionsLocality-based
technique
How do we reduce the blowup?
Tree, Stack, Queue, Heap Linked list,
Deque, 2-dim Grid
Blowup: O(log N) Blowup: O(12d log2-1/d N)
22
r
Position-based ORAM
r
x
Position map
Server
Client
Position tag of a block changes after every
accessORAM
Read(x, l)
Requires accessing O(log N) blocks per
access
23
O(1)
Recursion for Tree ORAM
Server
Client
Position based ORAM
. . .
. . . Position Map 1 - PM1 (size: N/c)Position Map 2
Position based ORAM for PM1
O (log N)If position map 1 had constant size memory, we do not need recursion. Hence, saving a factor of O(log N).
For a tree, we only need to store the position tag for the root.
24
Pointer-based Technique for Bounded Degree Trees
ID Data
Pos Position map for children
A B
R
Storing position tags of children nodes is
an added responsibility.
We use an O(log N) cache to solve this
problemC
25
A Bounded-degree Tree Operation
Read nodes with keys 5, 6, 7 and store them in cachePerform all modifications in cacheUpdate position tags for all nodesWrite backPad with dummy accesses
For bounded-degree trees, we achieve a blowup of O(log N).
We save O(log N) by avoiding recursion.
Parent nodes store position tags of children.
26
Locality-based Technique - Intuition
Key Idea: Path ORAM achieves O(log N) overhead for block size ≥ O(log2 N) bits
Can we leverage this to group smaller data nodes into larger blocks?
27
Locality-based TechniqueGroup smaller nodes to form a large blocke.g. log N = 25
Block size: O(log2 N) bits
Download block containing (0,0) and neighboring blocks (O(log3 N) bits)
Can be generalized for graphs with low doubling dimensions
1 ORAM block access = log0.5 N data node accesses of size O(log N)
Blowup = O(log1.5 N)
28
Oblivious Data Structure: Security
6
82
9741
insert(root, 10)delete(root, 7)search(root, 2)
Security requirement:1. Do not reveal operands2. Do not reveal the operation
performed
Oblivious RAM cannot be directly used.
29
Related WorkEfficient, Oblivious Data Structures for MPC [KS’14]Design oblivious priority queue
Secure Data Structures based on Multiparty Computation [T’11]Design oblivious priority queue but reveals the type of operation performed
Data-oblivious Data Structures [MZ’14]Design oblivious stack, queue and priority queue
30
Application – Oblivious Dynamic Memory AllocationDo not reveal:Amount of memory allocatedLocation
Use a segment treeEach operation requires accessing O(log3 N) bits
31
Evaluation – Data Structures – Oblivious map
Bandwidth blowup Client storage
Speedup: 16x for N=230
33Data transferred for oblivious dynamic memory allocation
Encryptions for oblivious map on secure computation
Bandwidth blowup for random walk on a 2-dim grid
Data transmitted for oblivious map on SC
Speedup: 2x for N=230 Speedup: 9x for N=220
Speedup: 1000x for N=230 Speedup: 10x for N=230
34
ConclusionOblivious RAMs can provably hide data access patterns but have a high bandwidth blowupWe design oblivious data structures that reduce the bandwidth blowup for limited access patternsFor bounded-degree trees, we achieve a blowup of O(log N)For graphs with low doubling dimensions, we achieve a blowup of O(12d log2-1/d N)
Open source implementation on a garbled
circuit backend
coming soon
Stack / Queue
Map (AVL tree)
Heap
Deque
Doubly linked list
Thank [email protected]
http://www.oblivm.com/