RevisitingSquareRootORAM
EfficientRandomAccessinMulti-PartyComputation
SameeZahur
JackDoerner
DavidEvans
XiaoWang
JonathanKatz
MarianaRaykova
oblivc.org/sqoram
Adrià Gascón
Securemulti-partycomputationapplications
Setintersection
[FNP04]
Iriscodematching
[LCPLB12]
Matrixfactorizationfor
recommendations
[NIWJTB13]
Mediancomputation
[AMP04]
Linearridge-regression
[NWIJBT13]
RandomAccess
Hidingaccesspattern
Linearscan
ObliviousRAM
Accesseveryelement
Continuallyshuffleelementsaround
Per-accesscost:Θ 𝑛
Per-accesscost:Θ(log ' 𝑛)
Linearscan
Figurefrom:Wang,Chan,Shi.CircuitOram.CCS’15
(our work)
6
Approach:revisitoldschemes
Classic“squareroot”schemeby
Goldreich andOstrovsky (1996).
ConsideredslowforMPCbecause
ofper-accesshashevaluation.
Per-accessamortizedcost:Θ
𝑛 log 𝑛
Four-elementORAM
LargerSizes
4-BlockORAM
Cost:5𝐵 +𝐵 +2𝐵 +3𝐵
+…
=11𝐵 every3accesses
Comparison
Linearscan
Cost:4𝐵 =12𝐵/3
Ourscheme
Cost:11𝐵/3
Four-elementORAM
LargerSizes
Positionmap
0
1
2
3
0
1
2
3
3
0
2
1
1
3
0
2
Creatingpositionmap
Creatingpositionmap
Inversepermutation
𝑝
𝜋C ⋅ 𝑝
𝜋C
𝜋F = 𝜋C ⋅ 𝑝
Inversepermutation
𝜋C
𝜋F
𝜋F = 𝜋C ⋅ 𝑝
𝜋C
𝜋FLM ⋅ 𝜋C
𝑝LM ⋅ 𝜋CLM ⋅
LM
=
=𝑝
𝜋C
Bobcomputes
𝜋FLM = 𝑝LM ⋅ 𝜋CLM
Rinseandrepeat
1. Shuffleelements
2. Recreatepositionmap
3. Service𝑇 =
𝑛 log 𝑛accesses
Accesstime
Initializationcost
Benchmarks
Linearscan
Circuit
ORAM
Square-root
ORAM
Task
Parameters
Binarysearch
210 searches
215 elements
1020s
5041s
825s
Breadth-first
search
210 vertices
213 edges
4570s
3750s
680s
Stablematching
29 pairs
scrypt hashing
N =214
≈7days
189000s
2850s
119000s
1920s
Conclusion
Werevisitedawell-knownschemeanduseditto
• Lowerinitializationcost
• Improvebreakevenpoint
Showsthatasymptoticcostsarenotthefinalword,concretecosts
requiremoreconsideration.
Download
oblivc.org/sqoram
Contactforhelp:
SameeZahur <[email protected]>