Skip to main content
SpringerLink
Log in

Is There an Oblivious RAM Lower Bound for Online Reads?

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Oblivious RAM (ORAM), introduced by Goldreich (STOC 1987) and Ostrovsky (STOC 1990), can be used to read and write to memory in a way that hides which locations are being accessed. The best known ORAM schemes have an \(O(\log n)\) overhead per access, where \(n\) is the data size. The work of Goldreich and Ostrovsky (JACM 1996) gave a lower bound, showing that this is optimal for ORAM schemes that operate in a “balls and bins” model, where memory blocks can only be shuffled between different locations but not manipulated otherwise (and the server is used solely as remote storage). The lower bound even extends to weaker settings such as offline ORAM, where all of the accesses to be performed need to be specified ahead of time, and read-only ORAM, which only allows reads but not writes. But can we get lower bounds for general ORAM, beyond “balls and bins”? The work of Boyle and Naor (ITCS 2016) shows that this is unlikely in the offline setting. In particular, they construct an offline ORAM with \(o(\log n)\) overhead assuming the existence of small sorting circuits. Although we do not have instantiations of the latter, ruling them out would require proving new circuit lower bounds. On the other hand, the recent work of Larsen and Nielsen (CRYPTO 2018) shows that there indeed is an \(\Omega (\log n)\) lower bound for general online ORAM. This still leaves the question open for online read-only ORAM or for read/write ORAM where we want very small overhead for the read operations. In this work, we show that a lower bound in these settings is also unlikely. In particular, our main result is a construction of online ORAM, in which the server is used solely as remote storage, where reads (but not writes) have an \(o(\log n)\) overhead, assuming the existence of small sorting circuits as well as very good locally decodable codes (LDCs). Although we do not have instantiations of either of these with the required parameters, ruling them out is beyond current lower bounds.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. The work of [2] was published after the conference version of this paper [58].

  2. Similar to previous works (e.g., [50, 51, 53]), we assume words are of at least logarithmic size.

  3. This is reminiscent of a construction of [44], which also instantiated the levels of a hierarchical ORAM with a primitive guaranteeing read privacy (specifically, they use PIR). However, our goals, and the details of our construction, differs significantly from [44].

  4. In [9], the blocks consist solely of the tag, but the algorithm is usually run when tags are concatenated with memory blocks (which are carried as a “payload”, and the complexity increases accordingly). We choose to explicitly include the data portion in the block.

  5. In this context, we note that recently (and after the conference version of this paper [58] was published), Farhadi et al. [18] showed an interesting connection between oblivious-access sort algorithms and seemingly unrelated problems in the field of network coding.

  6. In particular, the accesses performed during \(\textsf {Setup}\) are not included in \(\textsf {AP}\), i.e., it includes only the accesses performed during the \(\textsf {Read}\) and \(\textsf {Write}\) executions.

  7. Recall that the client memory stores blocks of size \({\mathsf {B}}\). Jumping ahead, for the setting discussed in the theorem statement such blocks are large enough to store the entire client memory needed for the metadata ORAM.

  8. Here, we assume \(\lambda \ge \log {M/2k}\), which is the number of bits needed to represent the counter.

  9. We could have similarly defined this notion as an extension of ORAM schemes (that support \(\textsf {write}\) operations), but since we only use this property for RO-ORAM schemes, we choose to define it for this (more restricted) setting.

  10. The construction can use any RO-ORAM scheme, but the \(\textsf {read}\) overhead is at least the overhead of the RO-ORAM scheme. Therefore, to obtain \(o\left( \log n\right) \) overhead, we need to instantiate the ORAM with our RO-ORAM scheme.

  11. We note that several ORAM schemes (such as tree-based ORAM schemes, and in particular the ORAM of Theorem 3.7), though described for logical memories given as arrays, can actually support logical memories given as map data structures.

  12. This assumption is without loss of generality since for the block sizes we consider, concatenating the address to the block would cause at most a constant multiplicative increase in the block size.

  13. More accurately, blocks from level i cause one access to \(\mathcal {DB}^i\) and one access to \(\mathcal {DB}^{i+1}\), but these operations have the same complexity since they entail reading or writing a size-\({\mathsf {B}}\) block.

References

  1. I. Abraham, C.W. Fletcher, K. Nayak, B. Pinkas, L. Ren, Asymptotically tight bounds for composing ORAM with PIR, in Public-Key Cryptography—PKC 2017—20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28–31, 2017, Proceedings, Part I (2017), pp. 91–120

  2. G. Asharov, I. Komargodski, W.-K. Lin, K. Nayak, E. Peserico, E. Shi, OptORAMa: optimal oblivious RAM, in Advances in Cryptology—EUROCRYPT 2020—39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part II (2020), pp. 403–432

  3. M. Ajtai, J. Komlós, E. Szemerédi, An \({O}(n \log n)\) sorting network, in Proceedings of the 15th Annual ACM Symposium on Theory of Computing, 25-27 April, 1983 (1983), pp. 1–9.

  4. D. Apon, J. Katz, E. Shi, A. Thiruvengadam, Verifiable oblivious storage, in Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014. Proceedings (2014), pp. 131–148

  5. E. Boyle, K.-M. Chung, R. Pass, Large-scale secure computation: multi-party computation for (parallel) RAM programs, in Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part II (2015), pp. 742–762

  6. A. Beimel, Y. Ishai, T. Malkin, Reducing the servers computation in private information retrieval: PIR with preprocessing, in Advances in Cryptology—CRYPTO 2000, 20th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2000, Proceedings (2000), pp. 55–73

  7. E. Boyle, Y. Ishai, R. Pass, M. Wootters, Can we access a database both locally and privately?, in Theory of Cryptography—15th International Conference, TCC 2017, Baltimore, MD, USA, November 12–15, 2017, Proceedings, Part II (2017), pp. 662–693

  8. N. Blum. A Boolean function requiring \(3n\) network size. Theor. Comput. Sci. 28, 337–345 (1984)

    Article  MathSciNet  Google Scholar 

  9. E. Boyle, M. Naor, Is there an oblivious RAM lower bound?, in Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, January 14–16, 2016 (2016), pp. 357–368

  10. D. Cash, A. Drucker, A. Hoover, A lower bound for one-round oblivious RAM, in Theory of Cryptography—18th International Conference, TCC 2020, Durham, NC, USA, November 16–19, 2020, Proceedings, Part I (2020), pp. 457–485

  11. Y.M. Chee, T. Feng, S. Ling, H. Wang, L.F. Zhang (2013) Query-efficient locally decodable codes of subexponential length. Computational Complexity, 22(1):159–189

    Article  MathSciNet  Google Scholar 

  12. R. Canetti, J. Holmgren, S. Richelson, Towards doubly efficient private information retrieval, in Theory of Cryptography—15th International Conference, TCC 2017, Baltimore, MD, USA, November 12–15, 2017, Proceedings, Part II (2017), pp. 694–726

  13. D. Cash, A. Küpçü, D. Wichs, Dynamic proofs of retrievability via oblivious RAM, in Advances in Cryptology—EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Proceedings (2013), pp. 279–295

  14. R. Durstenfeld, Algorithm 235: random permutation. Commun. ACM, 7(7), 420 (1964)

    Article  Google Scholar 

  15. S. Devadas, M. van Dijk, C.W. Fletcher, L. Ren, E. Shi, D. Wichs, Onion ORAM: a constant bandwidth blowup oblivious RAM, in Theory of Cryptography—13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part II (2016), pp. 145–174

  16. K. Efremenko, 3-query locally decodable codes of subexponential length, in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2, 2009 (2009), pp. 39–44

  17. M.G. Find, A. Golovnev, E.A. Hirsch, A.S. Kulikov, A better-than-\(3n\) lower bound for the circuit complexity of an explicit function, in IEEE 57th Annual Symposium on Foundations of Computer Science, FOCS 2016, 9–11 October 2016, Hyatt Regency, New Brunswick, New Jersey, USA (2016), pp. 89–98

  18. A. Farhadi, M.T. Hajiaghayi, K.G. Larsen, E. Shi, Lower bounds for external memory integer sorting via network coding, in Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, STOC 2019, Phoenix, AZ, USA, June 23–26, 2019 (2019), pp. 997–1008

  19. C.W. Fletcher, M. Naveed, L. Ren, E. Shi, E. Stefanov, Bucket ORAM: single online roundtrip, constant bandwidth oblivious RAM. IACR Cryptol. ePrint Arch., 2015, 1065 (2015)

  20. C. Gentry, K.A. Goldman, S. Halevi, C.S. Jutla, M. Raykova, D. Wichs, Optimizing ORAM and using it efficiently for secure computation, in Privacy Enhancing Technologies—13th International Symposium, PETS 2013, Bloomington, IN, USA, July 10–12, 2013. Proceedings (2013), pp. 1–18

  21. C. Gentry, S. Halevi, C.S. Jutla, M. Raykova, Private database access with HE-over-ORAM architecture, in Applied Cryptography and Network Security—13th International Conference, ACNS 2015, New York, NY, USA, June 2–5, 2015, Revised Selected Papers (2015), pp. 172–191

  22. S.D. Gordon, J. Katz, V. Kolesnikov, F. Krell, T. Malkin, M. Raykova, Y. Vahlis, Secure two-party computation in sublinear (amortized) time, in The ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16–18, 2012 (2012), pp. 513–524

  23. S.D. Gordon, J. Katz, X. Wang, Simple and efficient two-server ORAM, in Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part III (2018), pp. 141–157

  24. M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia, Privacy-preserving group data access via stateless oblivious RAM simulation, in Proceedings of the 23rd Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2012, Kyoto, Japan, January 17–19, 2012 (2012), pp. 157–167

  25. O. Goldreich, R. Ostrovsky. Software protection and simulation on oblivious RAMs. J. ACM, 43(3), 431–473 (1996)

    Article  MathSciNet  Google Scholar 

  26. O. Goldreich, Towards a theory of software protection and simulation by oblivious RAMs, in Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA (1987), pp. 182–194

  27. M.T. Goodrich, Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in \({O}(n \log n)\) time, in Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31–June 03, 2014 (2014), pp. 684–693

  28. B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings (2008), pp. 126–143

  29. B. Hemenway, R. Ostrovsky, M.J. Strauss, M. Wootters, Public key locally decodable codes with short keys, in Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques—14th International Workshop, APPROX 2011, and 15th International Workshop, RANDOM 2011, Princeton, NJ, USA, August 17–19, 2011. Proceedings (2011), pp. 605–615

  30. A. Hamlin, R. Ostrovsky, M. Weiss, D. Wichs, Private anonymous data access, in Advances in Cryptology—EUROCRYPT 2019—38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19–23, 2019, Proceedings, Part II (2019), pp. 244–273

  31. K. Iwama, H. Morizumi, An explicit lower bound of \(5n - o(n)\) for boolean circuits, in Mathematical Foundations of Computer Science 2002, 27th International Symposium, MFCS 2002, Warsaw, Poland, August 26–30, 2002, Proceedings (2002), pp. 353–364

  32. T. Itoh, Y. Suzuki, Improved constructions for query-efficient locally decodable codes of subexponential length. IEICE Trans. 93-D(2), 263–270 (2010)

    Article  Google Scholar 

  33. E. Kushilevitz, S. Lu, R. Ostrovsky. On the (in)security of hash-based oblivious RAM and a new balancing scheme, in Proceedings of the 23rd Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2012, Kyoto, Japan, January 17–19, 2012 (2012), pp. 143–156

  34. E. Kushilevitz, T. Mour, Sub-logarithmic distributed oblivious RAM with small block size. In Public-Key Cryptography—PKC 2019—22nd IACR International Conference on Practice and Theory of Public-Key Cryptography, Beijing, China, April 14–17, 2019, Proceedings, Part I (2019), pp. 3–33

  35. E. Kushilevitz, R. Ostrovsky, Replication is NOT needed: SINGLE database, computationally-private information retrieval, in 38th Annual Symposium on Foundations of Computer Science, FOCS’97, Miami Beach, Florida, USA, October 19–22, 1997 (1997), pp. 364–373

  36. M. Keller, P. Scholl, Efficient, oblivious data structures for MPC, in Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014, Proceedings, Part II (2014), pp. 506–525

  37. J. Katz, L. Trevisan, On the efficiency of local decoding procedures for error-correcting codes, in Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, May 21–23, 2000, Portland, OR, USA (2000), pp. 80–86

  38. C. Liu, Y. Huang, E. Shi, J. Katz, M.W. Hicks, Automating efficient RAM-model secure computation, in 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18–21, 2014 (2014), pp. 623–638

  39. K.G. Larsen, J.B. Nielsen, Yes, there is an oblivious RAM lower bound!, in Advances in Cryptology—CRYPTO 2018—38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part II (2018), pp. 523–542

  40. S. Lu, R. Ostrovsky, Distributed oblivious RAM for secure two-party computation, in Theory of Cryptography—10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3–6, 2013. Proceedings (2013), pp. 377–396

  41. J.R. Lorch, B. Parno, J.W. Mickens, M. Raykova, J. Schiffman, Shroud: ensuring private access to large-scale data in the data center, in Proceedings of the 11th USENIX conference on File and Storage Technologies, FAST 2013, San Jose, CA, USA, February 12–15, 2013 (2013), pp. 199–214

  42. T. Mayberry, E.-O. Blass, A.H. Chan. Efficient private file retrieval by combining ORAM and PIR, in 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26, 2014 (2014)

  43. M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, D. Song, PHANTOM: practical oblivious computation in a secure processor, in 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4–8, 2013 (2013), pp. 311–324

  44. R. Ostrovsky, V. Shoup, Private information storage (extended abstract), in Proceedings of the 29th Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 4–6, 1997 (1997), pp. 294–303

  45. R. Ostrovsky, Efficient computation on oblivious RAMs, in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13–17, 1990, Baltimore, Maryland, USA (1990), pp. 514–523

  46. M. Patrascu, E.D. Demaine. Logarithmic lower bounds in the cell-probe model. SIAM J. Comput. 35(4), 932–963 (2006)

    Article  MathSciNet  Google Scholar 

  47. S. Patel, G. Persiano, M. Raykova, K. Yeo, PanORAMa: oblivious RAM with logarithmic overhead, in 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7–9, 2018 (2018), pp. 871–882

  48. P. Raghavendra. A note on Yekhanin’s locally decodable codes. Electron. Colloquium Comput. Complex. (ECCC), 14(016) (2007)

  49. L. Ren, C.W. Fletcher, A. Kwon, E. Stefanov, E. Shi, M. van Dijk, S. Devadas. Constants count: practical improvements to oblivious RAM, in 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12–14, 2015. (2015), pp. 415–430

  50. E. Shi, T.-H. Hubert Chan, E. Stefanov, M. Li, Oblivious RAM with \({O}((\log {N})^3)\) worst-case cost, in Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4–8, 2011. Proceedings (2011), pp. 197–214

  51. E. Stefanov, E. Shi, ObliviStore: high performance oblivious distributed cloud data store. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24–27, 2013 (2013)

  52. E. Stefanov, E. Shi, D.X. Song, Towards practical oblivious RAM, in 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5–8, 2012 (2012)

  53. E. Stefanov, M. van Dijk, E. Shi, C.W. Fletcher, L. Ren, X. Yu, S. Devadas, Path ORAM: an extremely simple oblivious RAM protocol, in 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4–8, 2013 (2013), pp. 299–310

  54. X. Wang, T.-H. Hubert Chan, E. Shi, Circuit ORAM: on tightness of the Goldreich–Ostrovsky lower bound, in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12–6, 2015 (2015), pp. 850–861

  55. X.S. Wang, Y. Huang, T.-H. Hubert Chan, A. Shelat, E. Shi, SCORAM: oblivious RAM for secure computation, in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3–7, 2014 (2014), pp. 191–202

  56. D.P. Woodruff, New lower bounds for general locally decodable codes. Electron. Colloquium Comput. Complex. (ECCC) 14(006) (2007)

  57. P. Williams, R. Sion, Single round access privacy on outsourced storage, in The ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16–18, 2012 (2012), pp. 293–304

  58. M. Weiss, D. Wichs, Is there an oblivious RAM lower bound for online reads?, in Theory of Cryptography—16th International Conference, TCC 2018, Panaji, India, November 11–14, 2018, Proceedings, Part II (2018), pp. 603–635

  59. S. Yekhanin, Towards 3-query locally decodable codes of subexponential length, in Proceedings of the 39th Annual ACM Symposium on Theory of Computing, San Diego, California, USA, June 11–13, 2007 (2007), pp. 266–274

  60. X. Yu, C.W. Fletcher, L. Ren, M. van Dijk, S. Devadas, Generalized external interaction with tamper-resistant hardware with bounded information leakage, in CCSW’13, Proceedings of the 2013 ACM Cloud Computing Security Workshop, Co-located with CCS 2013, Berlin, Germany, November 4, 2013 (2013), pp. 23–34

  61. J. Zhang, Q. Ma, W. Zhang, D. Qiao, MSKT-ORAM: a constant bandwidth ORAM without homomorphic encryption. IACR Cryptol. ePrint Arch. 2016, 882 (2016)

    Google Scholar 

Download references

Acknowledgements

We thank the anonymous Journal of Cryptology reviewers for their comments, which helped us improve the paper. This research was supported by NSF Grants CNS-1314722, CNS-1413964, CNS-1750795 and the Alfred P. Sloan Research Fellowship. The first author was supported in part by The Eric and Wendy Schmidt Postdoctoral Grant for Women in Mathematical and Computing Sciences.

Author information

Authors and Affiliations

  1. Faculty of Engineering, Bar-Ilan University, Ramat-Gan, Israel

    Mor Weiss

  2. Department of Computer Science, Northeastern University, Boston, MA, USA

    Daniel Wichs

Authors
  1. Mor Weiss
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Wichs
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mor Weiss.

Additional information

Communicated by Daniele Micciancio

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Weiss, M., Wichs, D. Is There an Oblivious RAM Lower Bound for Online Reads?. J Cryptol 34, 18 (2021). https://doi.org/10.1007/s00145-021-09392-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09392-1

Search

Navigation