1

Oblivious Data Structures

Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang

2

• Emails• Photos• Videos• Financial data• Medical records• Genome data

……

Sensitive Data in the Cloud

Encrypt your data!

3

Genome data

Personalizedmedication

4

Genome data Kidney problem

5

Access patterns leak sensitive information

6

Oblivious RAM is a cryptographic primitive for provably obfuscating

access patterns to data.

Hierarchical ORAMs

[Goldreich’87]

[GO’96][KLO ’12]

Tree-based ORAM

[SCSL’11][Path

ORAM’13]

7

How do ORAMs obfuscate access patterns to data?

Intuition: 1. Move blocks around2. For every single access to memory block, access many blocks.

8

Path ORAM achieves O(log2 N) blowup for small blocks [SDSCFRYD’13]

N = 230 (1 Giga) c = 8

N: Number of memory blocks,c: constant for Path ORAM

c log2 N = 7200

Access about 7200 memory blocks per blocki. Schemes with better asymptotics [KLO’12]ii. Path ORAM with larger block size performs better

Can we do better for limited access

patterns?

Can we do better?

10

computeFrequency(arr[]):For each x in arr:

freq := mem[x]mem[x] := freq +

1

…

…

9

…

…

…

2

…

…

…

…

10

…

55

59

64

56

57

62

61

60

58

63

65

54

53

52Access Pattern Graph for a RAM

program10

55 59 60 85 59 55 64 67 55 61arr[]

Blowup: O(log2 N / log log N) [KLO’12]

mem[]

11

Some real world programs may have limited access patterns due to:1. Inherent structure in the data or2. Locality of accesses

Bounded-degree trees

Trees, Stack, Queue, Heap

Blowup: O(log N)

Access pattern graphs with low

doubling dimensions

Linked list, Deque, 2-dim Grid

Blowup: O(12d log2-

1/d N)d=1: O(log N)

d=2: O(log1.5 N)(d: doubling dim)ORAM: O(log2 N / log log N) [KLO’12]

13

Access Pattern Graph for a Stack

5

6

9

65

45

23

2

1

10

push(stack, value)value := pop(stack)

55

59

56

57

62

6160

58

54

53 3

14

search(x, root):while(true):

if x = root.datareturn root

else if x < root.data

root := root.left

else root := root.right

6

82

9741

Access Pattern Graph for a Binary Search Tree

For structures with tree-like access

patterns, we achieve a blowup of O(log N)

Oblivious RAM achieves O(log2N/log log N) [KLO’12]

16

Access Pattern Graph on a Grid-like Structure

After k accesses, the farthest you can go is k

hops away

Accesses show “locality”

For the grid structure, we

achieve a blowup of O(log1.5 N)

Oblivious RAM achieves O(log2N/log log N)

18

More Data Structures that Exhibit Locality

Linked List

Deque

For linked list and deque, we achieve

a blowup of O(log N)

For graphs with low doubling

dimensions, we achieve a blowup of

O(12d log2-1/d N)d: doubling dimension

Oblivious RAM achieves O(log2N/log log N)

Bounded degree trees

Pointer-based

technique

Access pattern graphs

with low doubling

dimensionsLocality-based

technique

How do we reduce the blowup?

Tree, Stack, Queue, Heap Linked list,

Deque, 2-dim Grid

Blowup: O(log N) Blowup: O(12d log2-1/d N)

Position-based ORAM

21

l

x

Position map

Server

Client

ORAM

l

Read(x, l)

ReadAndRemove()Add()

22

r

Position-based ORAM

r

x

Position map

Server

Client

Position tag of a block changes after every

accessORAM

Read(x, l)

Requires accessing O(log N) blocks per

access

23

O(1)

Recursion for Tree ORAM

Server

Client

Position based ORAM

. . .

. . . Position Map 1 - PM1 (size: N/c)Position Map 2

Position based ORAM for PM1

O (log N)If position map 1 had constant size memory, we do not need recursion. Hence, saving a factor of O(log N).

For a tree, we only need to store the position tag for the root.

24

Pointer-based Technique for Bounded Degree Trees

ID Data

Pos Position map for children

A B

R

Storing position tags of children nodes is

an added responsibility.

We use an O(log N) cache to solve this

problemC

25

A Bounded-degree Tree Operation

Read nodes with keys 5, 6, 7 and store them in cachePerform all modifications in cacheUpdate position tags for all nodesWrite backPad with dummy accesses

For bounded-degree trees, we achieve a blowup of O(log N).

We save O(log N) by avoiding recursion.

Parent nodes store position tags of children.

26

Locality-based Technique - Intuition

Key Idea: Path ORAM achieves O(log N) overhead for block size ≥ O(log2 N) bits

Can we leverage this to group smaller data nodes into larger blocks?

27

Locality-based TechniqueGroup smaller nodes to form a large blocke.g. log N = 25

Block size: O(log2 N) bits

Download block containing (0,0) and neighboring blocks (O(log3 N) bits)

Can be generalized for graphs with low doubling dimensions

1 ORAM block access = log0.5 N data node accesses of size O(log N)

Blowup = O(log1.5 N)

28

Oblivious Data Structure: Security

6

82

9741

insert(root, 10)delete(root, 7)search(root, 2)

Security requirement:1. Do not reveal operands2. Do not reveal the operation

performed

Oblivious RAM cannot be directly used.

29

Related WorkEfficient, Oblivious Data Structures for MPC [KS’14]Design oblivious priority queue

Secure Data Structures based on Multiparty Computation [T’11]Design oblivious priority queue but reveals the type of operation performed

Data-oblivious Data Structures [MZ’14]Design oblivious stack, queue and priority queue

30

Application – Oblivious Dynamic Memory AllocationDo not reveal:Amount of memory allocatedLocation

Use a segment treeEach operation requires accessing O(log3 N) bits

31

Evaluation – Data Structures – Oblivious map

Bandwidth blowup Client storage

Speedup: 16x for N=230

32

Evaluation – Data Structures - Deque

Bandwidth blowup

Speedup: 9x for N=230

33Data transferred for oblivious dynamic memory allocation

Encryptions for oblivious map on secure computation

Bandwidth blowup for random walk on a 2-dim grid

Data transmitted for oblivious map on SC

Speedup: 2x for N=230 Speedup: 9x for N=220

Speedup: 1000x for N=230 Speedup: 10x for N=230

34

ConclusionOblivious RAMs can provably hide data access patterns but have a high bandwidth blowupWe design oblivious data structures that reduce the bandwidth blowup for limited access patternsFor bounded-degree trees, we achieve a blowup of O(log N)For graphs with low doubling dimensions, we achieve a blowup of O(12d log2-1/d N)

35

Emil Stefanov (1987-2014)

http://www.rememberingemil.org

Open source implementation on a garbled

circuit backend

coming soon

Stack / Queue

Map (AVL tree)

Heap

Deque

Doubly linked list

Thank You!kartik@cs.umd.edu

http://www.oblivm.com/