ORAM

Oblivious RAM (ORAM)
A. Satapathy1 C. Soni2
1,2Information and Communication Laboratory
Industrial Technology Research Institute
Taiwan
Under the guidance of Dr. Tzi-cker Chiueh
2017, July 24th
A. Satapathy, C. Soni Oblivious RAM (ORAM) 2017, July 24th
1 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Goldreich’s ”Square Root” ORAM
Ostrovsky’s ”Hierarchical” ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
2 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
3 / 136

Overview
Client with small secure memory. Untrusted server with large storage.
Suppose capacity of server is ’n’ data items. Client requires log(n)
bits counter and O(1) memory to access and process these.
Figure 1.1: Client server architecture
4 / 136

Overview
Therefore,
Conﬁdentiality: Client encrypts data to hide its contents.
Integrity: Message Authentication Code (MAC) is computed to
prevent server from changing it.
Privacy: Hide access pattern to prevent leakage of sensitive
information about data.
5 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
6 / 136

Hide Access Pattern
Even if data are encrypted and hashed, accessing the primary storage can
also reveal secret information. Here’s an example.
Figure 1.2: Genome data in server memory
7 / 136

Hide Access Pattern
1: function GENOME(int a, array M)
2: return M[a] Read an element of M
3: end function
Algorithm 1: Read a speciﬁc location from GNOME
1: function GENOME(int a, array M)
2: M[a] = #num Re-Write an element of M
3: return M[a]
4: end function
Algorithm 2: Update GNOME sequence
8 / 136

Hide Access Pattern
Allele/ single-nucleotide polymorphisms (SNP) which leads to cancer.
Allele/ SNP is located at specific location on the genome. Brown
blocks are allele/ SNP in figure 1.2.
Client wants to know he/ she has cancer or not, it leads to access
specific memory locations on server.
Admin/ observer can infer that client was concerned about cancer.
Even if data are encrypted, accessing the storage can also reveal
sensitive information.
9 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
10 / 136

Goals and Actions
Goals:
Server has no idea of client’s access data items.
The location of data item must be independent of its index.
Any two sequence of operations y, y‘ of equal length, access patterns
of y and y‘ are computationally indistinguishable. i.e. A(y) = A(y‘).
Suppose y = (read2, write20, write7, read100) and y‘ = (write10,
read3, read40, read30). Both are operationally indistinguishable.
readi = read from location ’i’. writej = write to location ’j’
11 / 136

Goals and Actions
Actions:
Stores ’N’ data items of equal size, of the form (indexi|| datai) on
server.
Data must be encrypted with secure probabilistic encryption scheme.
Each access to the remote storage must include a read and a write.
i.e. readi or writei will be replaced by read(s) + write(s).
Two consecutive access to indexi, must not be the same location.
12 / 136

Goals and Actions
Figure 1.3: Oblivious read operation
13 / 136

Goals and Actions
Figure 1.4: Oblivious write operation
14 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
15 / 136

Oblivious RAM
An Oblivious RAM (ORAM) is an emulator, located at client side,
used to hide access pattern .
ORAM will issue operations, those deviate from actual client requests.
Server cannot distinguish between two clients with same running time.
Figure 1.5: Black box of ORAM operations
16 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
17 / 136

Cuckoo Hashing
Cuckoo hashing is one of the hash function, plays a huge role in some
of the ORAM construction.
It uses the idea of multiple choice and relocation together. It
guarantees O(1) worst case look up.
Multiple choice gives a key / index two choices h1(key) and h2(key)
for residing.
Rellocation allows elements in hash table to move after being placed.
18 / 136

Cuckoo Hashing
EXAMPLE
Table 1.1: Data and its corresponding indices.
index 20 50 53 75 100 67 105 3 36 39
value 30 70 65 102 47 23 87 91 55 70
Hash function:
h1(index) = index % 11
h2(index) = (index / 11) % 11
Table 1.2: Indices and its corresponding hash values.
index 20 50 53 75 100 67 105 3 36 39
h1(index) 9 6 9 9 1 1 6 3 3 6
h2(index) 1 4 4 6 9 6 9 0 3 3
19 / 136

Cuckoo Hashing
→ 20, h1(20) = 9
Table 1.3: Cuckoo hash table after insertion 20.
Table[1] 20
Table[2]
→ 50, h1(50) = 6
Table[1] 50 20
Table[2]
20 / 136

Cuckoo Hashing
→ 53, h1(53) = 9, but 20 at 9. So, h2(20) = 1.
Table[1] 50 53
Table[2] 20
→ 75, h1(75) = 9, h2(53) = 4
Table[1] 50 75
Table[2] 20 53
21 / 136

Cuckoo Hashing
→ 100, h1(100) = 1.
Table[1] 100 50 75
Table[2] 20 53
→ 67, h1(67) = 1, h2(100) = 9.
Table[1] 67 50 75
Table[2] 20 53 100
22 / 136

Cuckoo Hashing
→ 105, h1(105) = 6, h2(50) = 4, h1(53) = 9, h2(75) = 6.
Table[1] 67 105 53
Table[2] 20 50 75 100
→ 3, h1(3) = 3.
Table[1] 67 3 105 53
Table[2] 20 50 75 100
23 / 136

Cuckoo Hashing
→ 36, h1(36) = 3, h2(3) = 0.
Table[1] 67 36 105 53
Table[2] 3 20 50 75 100
→ 39, h1(36) = 6, h2(105) = 9, h1(100) = 1, h2(67) = 6, h1(75) = 9,
h2(53) = 4, h1(50) = 6, h2(39) = 3.
Table[1] 100 36 50 75
Table[2] 3 20 39 53 67 105
24 / 136

Cuckoo Hashing
Table 1.13: Final hash table
Table[1] 100 36 50 75
Table[2] 3 20 39 53 67 105
Time complexity; Insertion - O(1). Deletion - O(1).
If collision occurs using two exist hash functions, new hash functions
are selected. Continue the cycle, until all data are placed
25 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
26 / 136

Optimal ORAM
Optimal ORAM is the theoritical assumption of best ORAM.
It not only provides least operation cost overhead but also reduces
client’s memory and storage to constant.
O(log2N) worst-case cost overhead per operation.
O(1) client storage between operations.
O(1) client memory usage during operations.
Researchers have proposed diﬀerent type of ORAMs to come closer to
above constraints.
These will be discussed from the next section onwards.
27 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
28 / 136

Trivial ORAM
There are Two type of Trivial ORAMs.
Type 1: During First access to server, store everything in ORAM
cache. Simulate with no calls to server. After last operation, store
everything back.
Type 2: Store data on server memory, but scan entire memory on
every operation.
Complexity
Type 1 ORAM: O(N) client storage. O(1) cost per operation.
(During ﬁrst operation, ’N’ data transmission. After ﬁnal operation, ’N’ data
transmission. Amortized cost = (N + N)/ N = 2 = O(1))
Type 2 ORAM: O(1) client memory. O(N) cost per operation.
(O(N) cost for single operation. For N operations = O(N2
). Amortized cost =
O(N2
) / N = O(N)
29 / 136

Trivial ORAM
Type 1
Figure 2.1: Type 1 Trivial ORAM
30 / 136

Trivial ORAM
Type 1
Figure 2.2: Type 1 Trivial ORAM read and write operation.
31 / 136

Trivial ORAM
Type 1
Figure 2.3: Type 1 Trivial ORAM after ﬁnal operation.
32 / 136

Trivial ORAM
Type 2
Figure 2.4: Type 2 Trivial ORAM write operation
33 / 136

Trivial ORAM
Type 2
Figure 2.5: Type 2 Trivial ORAM read operation
34 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
35 / 136

Goldreich’s square root ORAM requires
Server storage N + 2C words
Client storage O(1) [Constant data words]
’N’ actual data words, ’C’ dummy words and ’C’ sheltered words
Figure 2.6: server storage structure in square root ORAM
36 / 136

Generally, in Goldreich’s square root ORAM, C = N0.5
Server storage N + 2N0.5 words
Client storage O(1) [Constant data words]
’N’ actual data words, ’N0.5’ dummy words and ’N0.5’ sheltered words
Figure 2.7: server storage structure in square root ORAM
37 / 136

Algorithm
Initialization: Pick a Pseudo Random Permutation (PRP) Π1.
Use it to shuffle N data words with N0.5 dummy words. Empty shelter.
step 1: Scan the server shelter for data.
step 2: If data is not in server shelter, read from main memory.(Miss)
step 3: If data is in server shelter, read next dummy word. (Hit)
step 4: Write data into server shelter.
(If Miss, write actual data. If Hit, write dummy word to shelter)
step 5: After N0.5 operations, reshuffle with new PRP (Π2) and flush
server shelter.
step 6: Repeat step 1 to step 5 until all the operations over.
38 / 136

Note
In case a Hit,
full shelter scan i.e read and write. Cost = 2N0.5
.
Read and write a dummy. Cost = 2.
Total cost = 2N0.5
+ 2
In case a Miss,
full shelter scan i.e read and write. Cost = 2N0.5
.
Read actual data from memory and write to shelter. Cost = 2.
Total cost = 2N0.5
+ 2
39 / 136

Figure 2.8: server storage structure.
Figure 2.9: server permuted memory using square root ORAM
40 / 136

Select a permutation ’Π1’ over the words 1,...., N + N0.5.
Relocate the words according to the permutation ’Π1’.
For element ’i’, scan through the entire shelter in a predeﬁned order.
If ’not found’ in the shelter, go to the actual word Π1(i).
If element ’i’ found in the shelter, access the next dummy Π1(N + j).
After N0.5 I/O operations, shelter becomes full.
Free server shelter by updating the content of the permuted memory.
41 / 136

Updation
Select new permutation ’Π2’ to sort N + 2N0.5 elements based on
Π2(i).
Sorting makes old and new values of elements come together.
Remove old values, make elements to be restricted in 1,..., N + N0.5.
Updation made shelter empty and usable for next N0.5 operations.
42 / 136

Figure 2.10: Shuﬄed server memory in square root ORAM
Figure 2.11: Updated server memory after shuﬄing
43 / 136

Shuﬄing
For each comparision, read both positions and rewrite them, either
swapping the data or not (depending Π(i) > Π(j))
For obliviousness, sorting doesn’t depend on sequence of inputs.
Some of the oblivious sorting algorithms are given below.
Bubble Sort. T(N) = O(N2
)
Sorting Networks
Batcher Network. T(N) = O(Nlog2
2
N)
AKS Network. T(N) = O(Nlog2N)
Quick sort is not an oblivious sorting algorithm, as selection of pivot
in each iteration depends on sequence of inputs.
44 / 136

Batcher Sorting Network
Figure 2.12: Batcher sorting network for four inputs.
Networks are designed to perform sorting on ﬁxed numbers of values.
The independence of comparision sequences is useful for parallel
execution and hardware implementation.
45 / 136

Batcher Sorting Network (Cont...)
Figure 2.13: Example of 4 inputs Batcher sorting network.
46 / 136

”Square Root” ORAM Complexity Analysis
1 In case a Hit or a Miss, cost is 2N0.5 + 2.
2 After N0.5 operations, cost will be N0.5 (2N0.5 + 2) = 2N + 2N0.5.
3 Sorting N + 2N0.5 words using Batcher network, total cost is (N +
2N0.5)log2
2(N + 2N0.5.)
4 Total cost, after N0.5 is (2N + 2N0.5 + (N + 2N0.5)log2
2(N +
2N0.5)) = O(N + Nlog2
2N).
5 Amortized cost is O(N + Nlog2
2N) / N0.5 = O(N0.5log2
2N)
6 Using AKS network, amortized cost will be reduced to O(N0.5log2N)
47 / 136

EXAMPLE
Figure 2.14: Initial storage structure of server.
Figure 2.15: Permuted memory based on Π1(wordi)
Note
All data are encrypted using probabilistic encryption scheme.
48 / 136

Read word4, actual index = 4.
Scan the shelter. It is a Miss because shelter is empty.
Compute Π1(4) = 7. Read word7 = ’9’ and write (4 || 9) to shelter.
Figure 2.16: Server memory after reading word4.
49 / 136

Write word9 = 92, actual index = 9.
Scan the shelter. It is a Miss.
Compute Π1(9) = 11. Read word11 = ’14’ and write (9 || 92) to
shelter.
Figure 2.17: Server memory after writing word9.
50 / 136

Write word4 = 67, actual index = 4.
Scan the shelter. It is a Hit. Update (4 || 9) to (4 || 67).
Compute Π1(16) = 3. Read word3 = ’$’ and write (16 || $) to shelter.
Figure 2.18: Server memory after writing word4
51 / 136

Read word9. actual index = 9.
Scan the shelter i.e. It is a Hit because (9 || 92) available in shelter.
Read the next dummy value i.e. word17.
Compute Π1(17) = 9. Read word9 = & and write (17 || &) to shelter.
Figure 2.19: Server memory after reading word9.
52 / 136

Updation
Selects a new PRP ’Π2’ to sort all the elements based on Π2(i).
Sorting makes old and new values come together.
Removal of old values and updation of the server memory makes
shelter empty.
Figure 2.20: Shuﬄed elements based on Π2(i) using sorting network.
Figure 2.21: Updated server memory with empty shelter
Note: Above procedures are repeated until all the operations are over.
53 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
54 / 136

Amortized cost will be reduced further by replacing square root
ORAM with hierarchical ORAM.
It stores data, including dummies in random hash tables, rather than
storing them in a linear array.
Data items are stored in encrypted form of (indexi || datai)
As the level increases, the number of hash tables at each level also
increases.
Shuffle buffers with a frequency inversely proportional to their levels
i.e. if the level increases then the shuffling frequency decreases.
It follows a more complicated layout to hide memory access patterns.
55 / 136

Client Storage
Hash function for each level.
O(1) client memory. [Constant data words].
Server Storage
log2N levels for ’N’ data items.
Level ’i’ contains 2i hash tables or buckets.
Each hash table contains log2N blocks.
Each block contains encrypted data or dummy item.
Level ’i’ contains at most 2i data items.
Item ’x’ is located in one of the levels, in buckets Hi(x). (i is the level,
x is index of the item)
56 / 136

Figure 2.22: Server storage structure for N = 16.
57 / 136

Read / write a data item using ORAM means read the data item and
write it back.
Read item ’x’
1 Scan both bucket at level 1. status = not found.
2 Scan bucket ’j’ at level 2. where j = H2(x). status = Not found.
3 Scan bucket ’k’ at level 3. where k = H2(x). status = found.
4 If found, scan a random bucket at diﬀerent level.
5 If not found, scan a bucket at next level as before.
Note
If ’x’ found at more than one level, use top value of ’x’.
Suppose ’x’ found at level 2 and level 3. Level 2, ’x’ value is used.
58 / 136

Figure 2.23: Reading data element ’x’ from server memory.
59 / 136

Read item ’x’
1 Scan both bucket at level 1. status = not found.
2 Scan bucket ’2’ at level 2. where H2(x) = 2. status = Not found.
3 Scan bucket ’4’ at level 3. where H3(x) = 4. status = found.
4 Scan a random bucket at level 4.
Note
Cuckoo hashing is used for hash functions creation and elements
distribution.
60 / 136

Write item ’x’
Compute t = H1(x). Item ’x’ is written back to bucket ’t’ at level 1.
Here H1(x) = 1. Item ’x’ is written back to bucket 1.
If item ’x’ already exists before, rewrite it.
After this operation, level 1 becomes full, as level 1 can store at most
two data items.
It requires eviction. It will be done by moving elements to next level.
Note
In read operation, items are read from corresponding levels and writen
back at level 1.
In write opeartion, items are read from corresponding levels and
writen their updated values at level 1.
61 / 136

Figure 2.24: Write data element ’x’ to server memory.
62 / 136

Algorithm (Eviction)
known: Level i stores at most 2i items.
step 1: Every 2i operations, Empty level ’i’ and move its contents to
level ’i+1’.
step 2: If an item with same index ’v’ appears in both levels, after
sorting, newest version (from level i) is kept and older version is
erased.
step 3: After reshuﬄing, level i + 1 must be reordered using new
hash function.
Note
Sorting networks like Batcher or AKS network is used for sorting.
63 / 136

Algorithm (Reshuﬄing)
step 1: Sort the contents of both levels ’i’ and ’i+1’ on their indices.
A total of (2i + 2i+1)log2N items including dummies.
step 2: After sorting, two copies of same data item are now adjacent.
scan data and replace older copies with dummies.
step 3: Select new hash function Hi+1 and calculate Hi+1(x) for non
dummy item ’x’.
step 4: Arrange data items in buckets based on Hi+1. Maximum
log2N data items can be assigned to each bucket.
step 5: Scan and adjust number of dummies at level i+1.
64 / 136

Figure 2.25: Server storage structure after eviction.
As level ’1’ can hold maximum two data items, level 1’s contents moved to
level ’2’ and updated. Level ’1’ ﬁlled with dummies.
65 / 136

Figure 2.26: Server storage structure after next 2 operations.
Server memory structure after two operations. It read data from level 4
and wrote them at level 1 using new hash function H1
’.
66 / 136

Eviction (After last 2 operations)
1 Last two operations made level ’1’ full (maximum 21 data item). So,
contents of level ’1’ will move to level ’2’.
2 As level 2 full before (maximum 22 data item). Level ’2’ contents will
move to level ’3’ ﬁrst.
3 Level ’2’ contents moved to level ’3’ and updated. Here older value of
item ’x’ removed during updation.
4 Level ’1’ contents moved to level ’2’ and updated.
67 / 136

Figure 2.27: Server storage structure after updation.
68 / 136

”Hierarchical” ORAM Complexity Analysis
Worst Case Access Cost Complexity
Scan all buckets at level 1. Cost = 2log2N
Scan one bucket at level 2. Cost = log2N
Scan one bucket at level 3. Cost = log2N
Similarly one bucket at level log2N. Cost = log2N
So, access cost per data = 2log2N + (log2N - 1)log2N = O(log2
2N)
Write Cost Complexity
O(1). As, item has to be written at level 1.
69 / 136

”Hierarchical” ORAM Complexity Analysis (Cont...)
Worst Case Eviction Cost
After reshuffle, level ’i’ is empty. Level ’i+1’ has at most 2i+1 data
items.
A shuffle of level ’i’ (2i data items) using batcher network takes
O(2ilog2
2(2ilog2N)). Here 2ilog2N represents total items including
dummies.
O(2ilog2
2(2ilog2N)) can be simplified to O(2ilog2
2N).
After ’N’ operations, the cost overhead of shuffling is O((N/2)21log2N
+ (N/4)22log2
2N + (N/8)23log2
2N + .... ) = O(Nlog2
3N)
’N’ operations made level 1 shuffled ’N/2’ times, level 2 shuffled
’N/4’ times and so on.
Amortized cost = O(Nlog2
3N) / N = O(log2
3N).
70 / 136

”Hierarchical” ORAM Complexity Analysis (Cont..)
Access cost per operation = O(log2
2N).
Write cost per operation = O(1).
Eviction cost per operation = O(log2
3N)
Total cost = O(log2
2N) + O(1) + O(log2
3N) ≈ O(log2
3N)
71 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
72 / 136

Binary ORAM
Amortized cost will be reduced further by replacing hierarchical
ORAM with binary ORAM.
It stores data in one of the buckets in its assigned path, rather than
storing them in random hash tables.
Data items are stored in encrypted form of (indexi || datai)
As the level increases, the number of buckets at each level also
increases by a factor of two.
The probability that a node/bucket at a particular level receives a
data item from its upper level is inversely proportional to its level i.e.
if the level increases then probability decreases.
It follows simpliﬁed layout than hierarchical ORAM to hide memory
access pattern.
73 / 136

Binary ORAM
Client Storage
A position map, stores mapped path of each data item.
Position map has N indices and each index is log2N bits long.
A position map of Nlog2N bits.
Server Storage
A full binary tree with log2N levels.
Level ’i’ contains 2i nodes or buckets.
Each node contains log2N blocks.
Each node contains encrypted data and/or dummy items.
Item ’x’ is located in one of the nodes in its path ’j’ i.e. from root to
leaf ’j’.
74 / 136

Binary ORAM
Table 2.1: Position map at client side.
Item Leaf
0 3
1 2
2 5
- -
7 2
- -
15 1
Item ’0’ is located in the path ’3’ i.e. in one of the nodes from root to
leaf ’3’.
Similarly, item ’7’ is located in the path ’2’ i.e. in one of the nodes
from root to leaf ’2’.
75 / 136

Binary ORAM
76 / 136

Binary ORAM
Read/write a data item using Binary ORAM means read the data item
and write it back.
Read item ’x’
Read path (leaf no.) from position map at client side.
Traverse the path from root to leaf. Scan all the nodes in the path.
Total log2
2N elements have to be scanned.
Remove item ’x’, when it is found. Fill it with a new dummy value.
Update position map of item ’x’ to a random leaf number.
Note: writing a dummy is a process that externally looks like writing an arbitrary
value to a node ,but internally does not store any value.
77 / 136

Binary ORAM
Read item ’0’
Traverse the path from root to leaf ’3’. Scan all the nodes in the
path. Total log2
2N elements including dummies have been scanned.
Item ’0’ is found in node 1 at level 1. So, remove it and ﬁll the place
with new dummy value.
Update the position map of item ’0’ to a random number. Here it is,
updated to 4.
78 / 136

Binary ORAM
Figure 2.29: Position of item ’0’ on the server during reading operation.
79 / 136

Binary ORAM
Figure 2.30: Server storage structure after reading data item ’0’.
80 / 136

Binary ORAM
Write item ’x’
After updating item ’x’ position map, it is written back to root.
After a few operations, root becomes full, as root can store at most
log2N items.
To avoid overﬂow, an eviction procedure is called, before writing any
element at the root.
It will be done by moving elements downwards to the next node on
their path.
Note
In read operation, items are read from corresponding paths and
written back to root.
In write operation, items are read from corresponding paths and
written their updated values to root.
81 / 136

Binary ORAM
Figure 2.31: Position of item ’0’ on the server after write operation.
82 / 136

Binary ORAM
Algorithm (Eviction)
known: Each node stores at most log2N items.
step 1: At each level, choose two nodes at random.
step 2: For each node, pop a data item (if node is non-empty) or
pop a dummy (if node is empty).
step 3: If it is a data item, move it downwards to the next node on
its path. If ancestor node is empty, write a dummy to a random
descendant.
step 4: Do a dummy write to other descent of the node.
step 5: Repeat the above process until make space at root for next
data item to write.
83 / 136

Binary ORAM
Note
Writing a dummy, we refer to
A process that externally looks like writing an arbitrary value to a
node but internally does not store any value.
Writing a dummy to a node does not decrease its capacity.
Note
A node at level ’i’ receives an item with probability (2 / 2i-1)(1/2).
Here 2i-1 represents node numbers at level ’i-1’.
A node at level ’i’ evicts an item with probability (2/2i). Here 2i
represents node numbers at level ’i’.
84 / 136

Binary ORAM
Table 2.2: Current position map at client side
Item Leaf
0 4
1 2
2 5
3 1
4 8
5 3
6 4
7 2
Item Leaf
8 5
9 6
10 7
11 6
12 8
13 3
14 7
15 1
Last reading of the item ’0’, update its position map to 4.
85 / 136

Binary ORAM
Figure 2.32: Server storage structure (current)
86 / 136

Binary ORAM
Figure 2.33: Server storage structure after eviction.
87 / 136

Binary ORAM
Binary ORAM Complexity Analysis
1 Accessing a single element requires scan all the elements in the path.
Cost is O(log2
2N).
2 After reading, eviction has to be performed. Select two random nodes
at each level and evict one item from each node.
3 So, cost at each level is 2. Total (log2N-1) levels. Cost is 2(log2N-1)
= O(log2N).
4 After eviction, write the element at root. Cost is O(1).
5 Total cost per operation = access cost + eviction cost + write cost =
O(log2
2N) + O(log2N) + O(1) ≈ O(log2
2N)
88 / 136

Binary ORAM
Binary ORAM Complexity Analysis
(Using Square Root ORAM)
1 Square root ORAM is implemented at each node where square root
ORAM is implemented using AKS network.
2 Cost for accessing an element at each node at each level is reduced to
O(log2
0.5N(log2log2N)).
3 Total log2N levels. Cost per accessing a single element in the path
O(log2
1.5N(log2log2N))
4 Total cost per operation = access cost + eviction cost + write cost =
O(log2
1.5N(log2log2N)) + O(log2N) + O(1) ≈
O(log2
1.5N(log2log2N)).
89 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
90 / 136

Path ORAM
Amortized cost will be reduced further by upgrading binary ORAM to
Path ORAM.
Data items are stored in encrypted form of (indexi || datai).
As the level increases, the number of buckets/nodes at each level also
increases by a factor of two.
While reading a particular element, all the elements in the path are
deleted from the server and stored in client stash.
While writing, position map of the element is updated and all the
read elements are rearranged in the read path.
Path ORAM tries to push the elements as close to the leaf in each
write operation.
It follows simpliﬁed layout than binary ORAM to hide memory access
pattern.
91 / 136

Path ORAM
Client Storage
Position map has N indices, but each index is log2N bits long.
A stash (temporary storage) where size of stash is bounded by
Pr[stash = R] ≥ 1 - 2-Ω(R). R = O(log2N).ω(1).
Server Storage
A full binary treee with log2N levels.
Each node contains O(1) blocks.
As level increases, number of nodes increases by a factor of two.
Block in each node either contains encrypted data item or it’s empty.
item ’x’ is located in one of the nodes in its path ’j’ i.e. from root to
leaf ’j’.
92 / 136

Path ORAM
Table 2.3: Position map at client side.
Item Leaf
1 2
2 4
3 3
4 4
5 3
6 1
7 2
Item Leaf
8 2
9 1
10 1
11 4
12 3
13 2
14 1
Item ’1’ is located in the path ’2’ i.e. in one of the nodes from root to
leaf ’2’.
Similarly, item ’14’ is located in the path ’4’ i.e. in one of the nodes
from root to leaf ’4’.
93 / 136

Path ORAM
N = 14. So, total levels = log2N = 3. Each node is of O(1) size.
In path ORAM, server neither stores or processes dummy values.
94 / 136

Path ORAM
Figure 2.35: Stash at client side.
While reading an item, all the elements in the path are deleted and
stored in client stash. While writing, elements are deleted from stash
and rearranged in the read path.
During rearrangement, some of the elements are not getting proper
place in server data structure. Kept remain in client stash.
95 / 136

Path ORAM
As known before, Read/write a data item using ORAM means read the
data item and write it back.
Read item ’x’
Traverse the path ’j’ from root to leaf. Scan all the nodes in the path.
Total O(log2N) elements have to be scanned.
While scanning, delete all the elements in the path and store them in
client stash. Update position map of item ’x’.
Write item ’x’
Read the elements including item ’x’ from the stash and rearrange
them in the path ’j’. (Move the elements close to the leaf).
Delete the rearranged elements from the client stash.
96 / 136

Path ORAM
Figure 2.36: Client and server storage structures (current).
97 / 136

Path ORAM
Read item9, index = 9
path. Total O(log2N) elements have been scanned.
While scanning, delete all the elements in the path ’2’ and store them
in client stash.
Update position map of item ’7’ to a random leaf number. Here it is,
updated to ’1’.
98 / 136

Path ORAM
Figure 2.37: Client and server storage structures after reading item ’7’.
99 / 136

Path ORAM
Figure 2.38: Client and server storage structures before writing.
100 / 136

Path ORAM
Figure 2.39: Server storage structure after writing level ’3’ in the path ’2’.
Two elements are chosen out of ’3’ arrowed elements to write at level ’3’.
101 / 136

Path ORAM
102 / 136

Path ORAM
103 / 136

Path ORAM
Figure 2.42: Client and server storage structures after rearrangement.
104 / 136

Path ORAM
Write item14 = 23, index = 14.
Read path (leaf no.) from the position map at client side.
While scanning, delete all the elements in the path ’1’ and store them
in client stash.
Write 23 to item ’14’ in the stash and update its position map to a
random number. Here it is ’3’.
105 / 136

Path ORAM
Figure 2.43: Client and server storage structures after reading item ’14’.
106 / 136

Path ORAM
Figure 2.44: Client and server storage structures after writing item14 = 23.
107 / 136

Path ORAM
108 / 136

Path ORAM
Two elements are chosen out of ’3’ eligible elements to write at level ’2’.
109 / 136

Path ORAM
Last two elements are choosen to write at level ’1’.
110 / 136

Path ORAM
Figure 2.48: Client and server storage structures after rearrangement.
111 / 136

Path ORAM
Path ORAM Complexity Analysis
1 Accessing a single element requires scan all the elements in the path.
Cost is O(log2N).
2 During writing, rearrange the elements in the read path. It has done
manually i.e. take a single element from the stash and scan the full
path to ﬁnd its proper location. Cost is O(log2N).
3 Cost of arranging O(log2N) elements is O(log2
2N).
4 Amortized cost (cost per operation) = Access cost + Rearrangement
cost = O(log2N) + O(log2
2N) ≈ O(log2
2N).
112 / 136

Outline
1 Introduction
Overview
Hide Access Pattern
Goals and Actions
Oblivious RAM
Cuckoo Hashing
2 Types of ORAM
Optimal ORAM
Trivial ORAM
Binary ORAM
Path ORAM
Circuit ORAM
3 Summary
4 References
113 / 136

Circuit ORAM
Circuit ORAM is the optimized ORAM available till today.
Amortized cost will be reduced further by upgrading binary ORAM to
Circuit ORAM.
Most suitable for MPC as it takes least number of AND and OR
gates for circuit implementation.
Data items are stored in encrypted form of (indexi || datai).
As the level increases, the number of buckets / nodes at each level
also increases by a factor of two.
While reading a particular element, scan all the buckets in its path.
When found, delete it from the bucket and store it in the stash.
While writing, rearrange the read element and elements in its newly
assigned path. It minimizes rearrangement cost to O(log2N).
114 / 136

Circuit ORAM
Client Storage
Position map has N indices, but each index is log2N bits long.
Server Storage
A full binary tree with log2N levels.
Each node contains O(1) blocks.
As level increases, number of nodes increases by a factor of two.
Block in each node either contains encrypted data item or it’s empty.
Item ’x’ is located in one of the nodes in its path ’j’ i.e. from root to
leaf ’j’.
A stash (temporary storage) where size of stash is bounded by
Pr[stash = R] ≥ 1 - 2-Ω(R). R = O(log2N).ω(1).
115 / 136

Circuit ORAM
Figure 2.49: Client and server storage structures for N = 20.
116 / 136

Circuit ORAM
Read/write operation using circuit ORAM is replaced by read and write
operations.
Read item ’x’
Traverse the path ’j’ from root to leaf. Scan all the nodes in the path.
Total O(log2N) elements have to be scanned.
When it is found, free the memory cell and store it in stash. Update
position map of item ’x’ to ’k’.
Write item ’x’
Rearrange item ’x’ and data items in its newly assigned path ’k’.
It follows three sophisticated methods to push elements as close to
the leaf. It minimizes cost to O(log2N).
117 / 136

Circuit ORAM
Read item ’19’
Traverse the path from root to lead ’1’. Scan all the nodes in the
When it is found, free the memory cell and store it in stash.
Update position map of item ’19’ to a random leaf number. Here it
is, updated to ’2’.
118 / 136

Circuit ORAM
Figure 2.50: Read item ’19’ using circuit ORAM.
119 / 136

Circuit ORAM
Figure 2.51: Server storahe structure after reading item ’19’.
120 / 136

Circuit ORAM
Write item ’19’
Rearrange item ’19’ and data items in its newly assigned path ’2’.
Use sophisticated eviction algorithm to push elements as close to the
leaf ’2’.
Eviction algorithm includes three methods (Find Depth, Prepare
Deepest and Prepare Target) to ﬁnd proper location of data items.
121 / 136

Circuit ORAM
Figure 2.52: Eviction path for write operation.
122 / 136

Circuit ORAM
As eviction is performed after each read operation, ﬁnd deepest element to
be evicted, at each level in the path. Eviction in a path includes
Find Depth (s → t): It is the top-down proceduce. A block in
node[s] can legally reside in node[t]; but no block in node[s] can
legally reside in node[t+1...L]. Here s < t.
Prepare Deepest (s → t): It is the bottom-up procedure. The
deepest block in node[0...s-1] that can legally reside in node[s]
currently resides in node[t]. Here t < s.
Prepare Target (s → t): It follows top-down approach. During the
real block scan, pick up the deepest block in node[s] and drop it in
node[t]. Here s < t.
123 / 136

Circuit ORAM
Find Depth
Figure 2.53: Circuit ORAM depth calculation
124 / 136

Circuit ORAM
Find Depth
Figure 2.54: Deepest elements in path ’2’
125 / 136

Circuit ORAM
Find Depth
Figure 2.55: Find depth in path ’2’
126 / 136

Circuit ORAM
Prepare Deepest
1: function PREPARE DEEPEST(int Depth[ ])
2: Initialize Deepest := (⊥,⊥, ..., ⊥), src := ⊥, goal := -1.
3: If stash not empty then src := 0, goal := Depth[0]
4: end if
5: for i = 1 to L do:
6: if goal ≥ i then Deepest[i] : = src
7: end if
8: l := Deepest[i]
9: if l > goal then goal := l, Src := i
10: end if
11: end for
12: end function
Algorithm 3: Prepare deepest array.
127 / 136

Circuit ORAM
Prepare Deepest
Figure 2.56: Prepare deepest array
In prepare deepest, reserve the empty cells for nearest deepest element.
It is a bottom-up process.
128 / 136

Circuit ORAM
Prepare Target
1: function PREPARE TARGET(int Deepest[ ])
2: Initialize dest := ⊥, src := ⊥, Target := (⊥,⊥,...,⊥)
3: for i = L down to 0 do:
4: if i == src then Target[i] := dest, dest := ⊥, src := ⊥.
5: end if
6: if ((dest = ⊥ and node[i] has empty slot) or (Target[i] =
⊥)) and (Deepest[i] = ⊥) then
7: src := Deepest[i], dest := i
8: end if
9: end for
10: end function
Algorithm 4: Prepare target array.
129 / 136

Circuit ORAM
Prepare Target
Figure 2.57: Prepare target array
In prepare target, move deepest elements into their preferred reserved
empty cells.
130 / 136

Circuit ORAM
Figure 2.58: Server storage structure after eviction
131 / 136

Circuit ORAM
Circuit ORAM Complexity Analysis
Accessing a single element requires scan all the elements in the path.
Cost is O(log2N)
During writing, rearrange the elements in the newly assigned path. It
has done by performing three operations (two meta data scan and
one data scan)
Rearrangement cost = Find Depth + Prepare Deepest + Prepare
Target = O(log2N) + O(log2N) + O(log2N) ≈ O(log2N).
Cost per operation = Access cost + Rearrangement cost = O(log2N)
+ O(log2N) ≈ O(log2N).
132 / 136

Summary
We discussed
1 How memory access patterns leak sensitive information.
2 Goals and actions are required to hide memory access pattern.
3 Oblivious RAM (ORAM) and diﬀerent types of ORAM.
4 Cuckoo hashing, one of the hashing algorithm is used in Ostrovsky’s
”Hierarchical” ORAM.
5 Complexity analysis of each ORAM and showed, how cost is reduced
drastically.
133 / 136

References
C. W. Fletcher, ”Oblivious RAM: From Theory to Practice”, Ph. D,
Massachusetts Institute of Technology, 2016.
D. Nath, ”ORAM: A Brief Overview”, University of California, Santa
Barbara, 2015.
B. Pinkas, ”Oblivious RAM”, Bar - Ilan University, Israel, 2015.
E. Shi, Oblivious RAM. Simons Institute: YouTube, 2015.
B. Pinkas, ORAM - Prof. Benny Pinkas. Bar-Ilan University, Israel:
YouTube, 2015.
M. Georgiou, ”Oblivious RAM: Classical results and recent
developments”, University of New York, 2016.
134 / 136

References
X. Yu et al., ”PrORAM: Dynamic Prefetcher for Oblivious RAM”,
ACM SIGARCH Computer Architecture News, vol. 43, no. 3, pp.
616-628, 2015.
E. Stefanov et al., ”Path ORAM: an extremely simple oblivious RAM
protocol”, in Proceedings of the 2013 ACM SIGSAC conference on
Computer and communications security, Berlin, Germany, 2013, pp.
299-310.
X. Wang, T. Chan and E. Shi, ”Circuit ORAM: On Tightness of the
Goldreich-Ostrovsky Lower Bound”, International Association for
Cryptologic Research, 2016.
135 / 136

The End
136 / 136

ORAM

More Related Content

What's hot

Similar to ORAM

More from Ashutosh Satapathy

Recently uploaded

ORAM