SlideShare a Scribd company logo

ORAM: A Brief Overview

â€ĸDownload as PPTX, PDFâ€ĸ
â€ĸ
Dev Nath
Dev Nath

Oblivious RAM: How to hide data access access pattern in public cloud storage

Software
1 of 42
+ Oblivious RAM ORAM A Brief Overview Dibyendu Nath, UC Santa Barbara
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ What is ORAM ? īŽ Oblivious Random Access Machine [ORAM] īŽ A machine is oblivious if the sequence in which it accesses memory locations is equivalent for any two inputs with the same running time. īŽ E.g. For a client-server model with outsourced data storage in server, the server cannot gain info about actual memory access pattern from client requests īŽ Main Idea: Memory Access Pattern is hidden from adversary. Caveat: Assume data content is not leaked as it is protected by traditional cryptographic methods (encryption) ServerClient read(i) write(i, d) . . .
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ Motivation īŽ Rise of Cloud Computing īŽ Success of Pay-as-you-Go model for Public Clouds īŽ Affordability, Elasticity, SLA Guarantees ī‚§ Lots of “Big” Data ī‚§ Solution: Outsourced Data Storage ī‚§ Accessible from many devices (desktop, laptop, phone, car, ...). ī‚§ Greater reliability. ī‚§ May be cheaper (economy of scale). īŽ Security Concerns behind outsourcing data to Public Clouds
+ Motivation īŽ Possible Solutions īŽ Duh! Use encryption īŽ Use “trusted” public cloud services īŽ Com’on, Google is “not evil” īŽ Use private cloud infrastructure īŽ Eg. Walmart uses OpenStack īŽ Is there a way to hide how we access our data but still use public cloud infrastructure ? īŽ Answer: ORAM
+ Motivation: Example Attack CloudApp read(i) write(i, d) . . . Genuine Client Request Simulated Client Request from “trusted” Cloud provider Cloud Storage with Encrypted Content
+ Motivation: Goal īŽ “Untrusted” means: īŽ It may not implement Write/Read properly īŽ It will try to learn about data Goal: Securely Outsourcing Data - Store, access, and update data on an untrusted server. M[0]=d1 M[1]=d2 M[2]=d3 â€Ļ â€Ļ M[n]=dn read(i) write(i, d) . . . Client Remote Server [Islam et al, ‘12]
+ Motivation: Solution īŽ An ORAM emulator is an intermediate layer that protects any client (i.e. program). īŽ ORAM will issue operations that deviate from actual client requests. īŽ Correctness: īŽ If server is honest then input/ output behavior is same for client. īŽ Security: īŽ Server cannot distinguish between two clients with same running time.
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ History of ORAM īŽ Pippenger and Fischer showed “oblivious Turing machines” could simulate general Turing machines īŽ Goldreich introduced analogous notion of ORAMs in ’87 and gave first interesting construction īŽ Ostrovsky gave a more efficient construction in ’90 īŽ ... 20 years pass, time sharing systems become “clouds” ... īŽ Then a flurry of papers improving efficiency: ~10 since 2010
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ ORAM Assumptions īŽ Assumption #1: Server does not see data. īŽ Store an encryption key on emulator and re-encrypt on every read/write. īŽ Assumption #2: Server does not see op (read vs write). īŽ Every op is replaced with both a read and a write. īŽ Assumption #3: Server is honest-but-curious. īŽ Store a MAC key on emulator and sign (address, time, data) on each operation. īŽ Not malicious
+ ORAM Security after Simplification īŽ What’s left to protect is the “access pattern” of the program. īŽ Definition: The access pattern generated by a sequence (i1, ..., in) with the ORAM emulator is the random variable (j1, ... , jT) sampled while running with an honest server. īŽ Definition: An ORAM emulator is secure if for every pair of sequences of the same length, their access patterns are indistinguishable.
+ Trivial ORAMs īŽ Example #1: Store everything in ORAM simulator cache and simulate with no calls to server. īŽ Client storage = N. īŽ Example #2: Store memory on server, but scan entire memory on every operation. īŽ Amortized and worst-case communication overhead = N. īŽ Example #3: Assume client accesses each memory slot at most once, and then permute addresses using a PRP. īŽ Essentially optimal, but assumption does not hold in practice.
+ ORAM Lower Bounds īŽ Theorem (GO’90): Any ORAM emulator must perform Ί(t log t) operations to simulate t operations. īŽ Proved via a combinatorial argument. īŽ Theorem (BM’10): Any ORAM emulator must either perform Ί(t log t log log t) operations to simulate t operations or use storage Ί(N2- o(1)) (on the server).
+ ORAM Efficiency Goals īŽ In order to be interesting, an ORAM must simultaneously provide īŽ o(N) client storage īŽ o(N) amortized overhead īŽ Handling of repeated access to addresses. īŽ Desirable features for an “optimal ORAM”: īŽ O(log N) worst-case overhead īŽ O(1) client storage between operations īŽ O(1) client memory usage during operations īŽ “Stateless client”: Allows several clients who share a short key to obliviously access data w/o communicating amongst themselves between queries. Requires op counters.
+ Basic Tools: Shuffling īŽ This means we move data at address i to address Ī€(i). īŽ Proof idea: Use an oblivious sorting algorithm. For each comparison in the sort, read both positions and rewrite them, either swapping the data or not (depending on if Ī€(i) > Ī€(j)). Key Idea: Use sorting networks like Batcher or AKS, where memory accesses are independent of input Claim: Given any permutation Ī€ on {1 , ... , N}, we can permute the data according to Ī€ with a sequence of ops that does not depend on the data or Ī€.
+ Oblivious Sort: Sorting Network īŽ Sorts Fixed number of values using a Fixed Sequence of Comparisons. īŽ Perfect for Oblivious Shuffling īŽ Can be represented as networks of wires and comparator modules īŽ Values (of any ordered type) flow across the wires. E īŽ Each comparator connect two wires Batcher Sorting Network for n = 4 Time Complexity = O(N log2 N)
+ Batcher Sorting Network Algorithm N = 8
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ Goldreich’s “Square Root” ORAM īŽ Scan Cache from the Server īŽ If data is not in server cache, read it from main memory īŽ If data is in server cache, read next dummy slot īŽ Write data into server cache īŽ Reshuffle with new K and flush cache after every C reads. Initialization: Pick PRP key K. Use it to obliviously shuffle N data slots together with C “dummy” slots. Empty cache. N data slots C dummy slots C cache slots Server Storage: N + 2C slots [General Case] Client Storage: O(1)
+ Goldreich’s ORAM : Efficiency Taking C=N1/2 Batcher sort ⇒ extra log N factor in costs Security: Relatively easy to prove. Server sees an oblivious sort and then C unique, random looking read/writes before reinitializing.
+ Can we do Better ?
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ Ostrovsky’s “Hierarchical” ORAM [Ostrovsky ’96] īŽ Aim: Minimize Amortized cost of Random Shuffling in “Square Root” Approach īŽ Store data (including dummies) in Random-Hash Table, rather than Randomly Sorted Array and recurse carefully Main Idea: īŽ Use Hierarchy of Buffers (hash tables) of different sizes īŽ Shuffle buffers with frequency inversely proportional to their sizes Much more complicated technique for hiding repeated access to same slots.
+ Ostrovsky’s “Hierarchical” ORAM Design Server Storage â€ĸ log N “levels” for N items â€ĸ Level i contains 2i buckets â€ĸ Each buckets contains log N slots â€ĸ Each slot contains a ciphertext encrypting data or dummy. level 2 3 4 1 K 2 K3 K4 K 1 â€ĸ Data starts on lowest level into buckets, overflow happens Client Storage PRP key Ki for each level â€ĸ When accessed, data gets moved to level 1 with negligible prob. â€ĸ Eventually, data gets shuffled to lower levels â€ĸ Invariant: ≤ 2i data slots used in level i â€ĸ (i.e. ≤ 1 per bucket on average) = data PRP Keys
+ Ostrovsky’s ORAM: Read/Write Read/Write(addr) * īŽ Scan both top buckets for data īŽ At each lower level, scan exactly one bucket īŽ Until found, scan bucket at F(Ki, addr) on that level īŽ After found, scan a random bucket on that level īŽ Write data into bucket F(K1, addr) on level 1 īŽ Perform a “shuffling procedure” to maintain invariant * Server is blind to ops i.e. every op is replaced with both a read and a write (which might or might not modify the data).
+ Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys Read/Write(blue address): 1. Scan both buckets at level 1 2. Scan bucket F(K2, addr) = 4 in level 2 3. Scan F(K3, addr) = 3 in level 3 (finding data) 4. Scan a random bucket in level 5. Move found data to level 1
+ Shuffling Procedure īŽ We “merge levels” so that each level has ≤ 1 slot per bucket on average īŽ After T operations: īŽ Let D={ max x : 2x divides T } īŽ For i = 1 to D īŽ Pick new PRP key for level i+1 īŽ Shuffle data in levels i and i+1 together into level i+1 using new key īŽ Level i is shuffled after every 2i ops.
+ Shuffling: Oblivious Hashing īŽ 12-step Shuffling process with multiple calls to 2 primitives for merging level i and i+1 into i īŽ Primitives Used: īŽ Scanning: Reading all words in memory array and possibly modifying them īŽ Oblivious in the sense, order of access is predetermined and same content may be written back īŽ 7 Calls īŽ Oblivious Sorting: Sorting memory array by sorting keys using Sorting Network such that sequence of memory accesses are fixed and independent of input. īŽ 4 Calls Example of Sorting Networks: Batchers, AKS
+ Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot
+ Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot 2. Read another Slot īŽ Level 1 shuffled after 2^1 = 2 operations [stops here]
+ Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot 2. Read another Slot īŽ Level 1 shuffled after 2^2 = 2 operations 3. 2 more Reads īŽ Level 1 shuffled after 2^2 = 4 operations īŽ Level 2 shuffled after 2^2 = 4 operations [stops here]
+ Ostrovsky’s ORAM: Security īŽ Security proof is more delicate than the first one. īŽ Key observation: This scheme never uses the value F(Ki, addr) on the same (key, address) twice. īŽ Why? Suppose client touches for the same address twice. īŽ After the first read, data is promoted to level 1. īŽ During the next read: īŽ If it is still on level 1, then we don’t evaluate F at all. īŽ If it is has been moved, a new key must have been chosen for that level since last read due to shuffling. īŽ Using key observation, all reads look like random bucket scans.
+ Ostrovsky’s ORAM: Efficiency
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ Recent Developments īŽ Cuckoo Hashing ORAMs īŽ Replace bucket-lists with more efficient hash table īŽ Path ORAM Protocol īŽ Binary Tree based ORAM Framework with client stash īŽ Each block is mapped to a uniformly random leaf bucket in the tree, īŽ Unstashed blocks are always placed in some bucket along the path to the mapped leaf.
+ Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
+ Conclusion Main Takeaway īŽ Use sorting networks with PRP keys to simulate oblivious shuffling after a certain number of memory accesses īŽ Rinse and repeat Improvement īŽ Use Hierarchy of Hash table Buffers of different sizes īŽ Shuffle buffers with frequency inversely proportional to their sizes
+ References īŽ Goldreich, Oded, and Rafail Ostrovsky. "Software protection and simulation on oblivious RAMs." Journal of the ACM (JACM) 43.3 (1996): 431-473. īŽ Islam, Mohammad Saiful, Mehmet Kuzu, and Murat Kantarcioglu. "Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation." NDSS. Vol. 20. 2012. īŽ http://cseweb.ucsd.edu/~cdcash/oram-slides.pdf
+ Thanks :) Any Q?

Recommended

ORAM
ORAMORAM
ORAMAshutosh Satapathy
 
Max flow problem and push relabel algorithem
Max flow problem and push relabel algorithemMax flow problem and push relabel algorithem
Max flow problem and push relabel algorithem8neutron8
 
AI 5 | Local Search
AI 5 | Local SearchAI 5 | Local Search
AI 5 | Local SearchMohammad Imam Hossain
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Locality Sensitive Hashing By Spark
Locality Sensitive Hashing By SparkLocality Sensitive Hashing By Spark
Locality Sensitive Hashing By SparkSpark Summit
 
String Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmString Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmKiran K
 
Parallel searching
Parallel searchingParallel searching
Parallel searchingMd. Mahedi Mahfuj
 

Recommended

ORAM
ORAMORAM
ORAMAshutosh Satapathy
 
Max flow problem and push relabel algorithem
Max flow problem and push relabel algorithemMax flow problem and push relabel algorithem
Max flow problem and push relabel algorithem8neutron8
 
AI 5 | Local Search
AI 5 | Local SearchAI 5 | Local Search
AI 5 | Local SearchMohammad Imam Hossain
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Locality Sensitive Hashing By Spark
Locality Sensitive Hashing By SparkLocality Sensitive Hashing By Spark
Locality Sensitive Hashing By SparkSpark Summit
 
String Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmString Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmKiran K
 
Parallel searching
Parallel searchingParallel searching
Parallel searchingMd. Mahedi Mahfuj
 
Rabin karp string matching algorithm
Rabin karp string matching algorithmRabin karp string matching algorithm
Rabin karp string matching algorithmGajanand Sharma
 
RSA Algorithm report
RSA Algorithm reportRSA Algorithm report
RSA Algorithm reportMohamed Ramadan
 
A Star Search
A Star SearchA Star Search
A Star Searchuniversity of education,Lahore
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...Bilal Amjad
 
Little o and little omega
Little o and little omegaLittle o and little omega
Little o and little omegaRajesh K Shukla
 
Activity selection problem
Activity selection problemActivity selection problem
Activity selection problemQAU ISLAMABAD,PAKISTAN
 
Encoding(sc)
Encoding(sc)Encoding(sc)
Encoding(sc)GowriLatha1
 
Rabin Carp String Matching algorithm
Rabin Carp String Matching algorithmRabin Carp String Matching algorithm
Rabin Carp String Matching algorithmsabiya sabiya
 
Ai & expert introduction
Ai & expert introductionAi & expert introduction
Ai & expert introductionRamesh Kumar
 
20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEs20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEsX 37
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVipin Tejwani
 
Rsa
RsaRsa
RsaNavneet Sharma
 
Pumping lemma
Pumping lemmaPumping lemma
Pumping lemmaGagan Dhawan
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation AlgorithmsJhoirene Clemente
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithmchauhankapil
 
APPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHYAPPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHYHome
 
Backtracking Algorithm.ppt
Backtracking Algorithm.pptBacktracking Algorithm.ppt
Backtracking Algorithm.pptSalmIbrahimIlyas
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
BackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and ExamplesBackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and ExamplesFahim Ferdous
 
Path oram
Path oramPath oram
Path oramFreeman Zhang
 
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...giuseppe_futia
 

More Related Content

What's hot

Rabin karp string matching algorithm
Rabin karp string matching algorithmRabin karp string matching algorithm
Rabin karp string matching algorithmGajanand Sharma
 
RSA Algorithm report
RSA Algorithm reportRSA Algorithm report
RSA Algorithm reportMohamed Ramadan
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...Bilal Amjad
 
Little o and little omega
Little o and little omegaLittle o and little omega
Little o and little omegaRajesh K Shukla
 
Encoding(sc)
Encoding(sc)Encoding(sc)
Encoding(sc)GowriLatha1
 
Rabin Carp String Matching algorithm
Rabin Carp String Matching algorithmRabin Carp String Matching algorithm
Rabin Carp String Matching algorithmsabiya sabiya
 
Ai & expert introduction
Ai & expert introductionAi & expert introduction
Ai & expert introductionRamesh Kumar
 
20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEs20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEsX 37
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVipin Tejwani
 
Pumping lemma
Pumping lemmaPumping lemma
Pumping lemmaGagan Dhawan
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation AlgorithmsJhoirene Clemente
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithmchauhankapil
 
APPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHYAPPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHYHome
 
Backtracking Algorithm.ppt
Backtracking Algorithm.pptBacktracking Algorithm.ppt
Backtracking Algorithm.pptSalmIbrahimIlyas
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
BackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and ExamplesBackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and ExamplesFahim Ferdous
 

What's hot (20)

Rabin karp string matching algorithm
Rabin karp string matching algorithmRabin karp string matching algorithm
Rabin karp string matching algorithm
 
RSA Algorithm report
RSA Algorithm reportRSA Algorithm report
RSA Algorithm report
 
A Star Search
A Star SearchA Star Search
A Star Search
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...assembly language programming organization of IBM PC chapter 9 part-2(decimal...
assembly language programming organization of IBM PC chapter 9 part-2(decimal...
 
Little o and little omega
Little o and little omegaLittle o and little omega
Little o and little omega
 
Activity selection problem
Activity selection problemActivity selection problem
Activity selection problem
 
Encoding(sc)
Encoding(sc)Encoding(sc)
Encoding(sc)
 
Rabin Carp String Matching algorithm
Rabin Carp String Matching algorithmRabin Carp String Matching algorithm
Rabin Carp String Matching algorithm
 
Ai & expert introduction
Ai & expert introductionAi & expert introduction
Ai & expert introduction
 
20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEs20191215 rate distortion theory and VAEs
20191215 rate distortion theory and VAEs
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Rsa
RsaRsa
Rsa
 
Pumping lemma
Pumping lemmaPumping lemma
Pumping lemma
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation Algorithms
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
APPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHYAPPLICATION OF GROUPS IN CRYPTOGRAPHY
APPLICATION OF GROUPS IN CRYPTOGRAPHY
 
Backtracking Algorithm.ppt
Backtracking Algorithm.pptBacktracking Algorithm.ppt
Backtracking Algorithm.ppt
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
BackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and ExamplesBackTracking Algorithm: Technique and Examples
BackTracking Algorithm: Technique and Examples
 

Viewers also liked

From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...giuseppe_futia
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure ComputationChong-Kuan Chen
 
Scaling up Linked Data
Scaling up Linked DataScaling up Linked Data
Scaling up Linked DataMarin Dimitrov
 
Bitspend Introduction
Bitspend IntroductionBitspend Introduction
Bitspend Introductionbitcoin
 
Pareto Principle Explained
Pareto Principle ExplainedPareto Principle Explained
Pareto Principle ExplainedEd Simpson
 
Bitcoin (Global Digital Currency)
Bitcoin (Global Digital Currency) Bitcoin (Global Digital Currency)
Bitcoin (Global Digital Currency) Paramkusa K
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2infosecedu
 
What is Bitcoin? - A guide for beginners
What is Bitcoin? - A guide for beginnersWhat is Bitcoin? - A guide for beginners
What is Bitcoin? - A guide for beginnersJonathan Waller
 
Bitcoin - the Basics
Bitcoin - the BasicsBitcoin - the Basics
Bitcoin - the BasicsVesa Linja-aho
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoinWolf McNally
 
Bitcoin: The Internet of Money
Bitcoin: The Internet of MoneyBitcoin: The Internet of Money
Bitcoin: The Internet of Moneywinklevosscap
 

Viewers also liked (15)

Path oram
Path oramPath oram
Path oram
 
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
From Big Linked Data to Linked Big Data - DBpedia as a framework for data int...
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin Security
 
Scaling up Linked Data
Scaling up Linked DataScaling up Linked Data
Scaling up Linked Data
 
Bitspend Introduction
Bitspend IntroductionBitspend Introduction
Bitspend Introduction
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Pareto Principle Explained
Pareto Principle ExplainedPareto Principle Explained
Pareto Principle Explained
 
Introduction Bitcoin
Introduction BitcoinIntroduction Bitcoin
Introduction Bitcoin
 
Bitcoin (Global Digital Currency)
Bitcoin (Global Digital Currency) Bitcoin (Global Digital Currency)
Bitcoin (Global Digital Currency)
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
What is Bitcoin? - A guide for beginners
What is Bitcoin? - A guide for beginnersWhat is Bitcoin? - A guide for beginners
What is Bitcoin? - A guide for beginners
 
Bitcoin - the Basics
Bitcoin - the BasicsBitcoin - the Basics
Bitcoin - the Basics
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoin
 
Bitcoin: The Internet of Money
Bitcoin: The Internet of MoneyBitcoin: The Internet of Money
Bitcoin: The Internet of Money
 

Similar to ORAM: A Brief Overview

Apache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseFlorian Lautenschlager
 
HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran John Mulhall
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
DSJ_Unit I & II.pdf
DSJ_Unit I & II.pdfDSJ_Unit I & II.pdf
DSJ_Unit I & II.pdfArumugam90
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
Spark Summit EU talk by Qifan Pu
Spark Summit EU talk by Qifan PuSpark Summit EU talk by Qifan Pu
Spark Summit EU talk by Qifan PuSpark Summit
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfgmdvmk
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne
 
Data structure and algorithm using java
Data structure and algorithm using javaData structure and algorithm using java
Data structure and algorithm using javaNarayan Sau
 
CS2: A Searchable Cryptographic Cloud Storage System
CS2: A Searchable Cryptographic Cloud Storage SystemCS2: A Searchable Cryptographic Cloud Storage System
CS2: A Searchable Cryptographic Cloud Storage SystemShurenBi1
 
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation Queries
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation QueriesOBSCURE: Information Theoretic Oblivious and Verifiable Aggregation Queries
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation QueriesShantanu Sharma
 
Porting a Streaming Pipeline from Scala to Rust
Porting a Streaming Pipeline from Scala to RustPorting a Streaming Pipeline from Scala to Rust
Porting a Streaming Pipeline from Scala to RustEvan Chan
 
Next-generation sequencing data format and visualization with ngs.plot 2015
Next-generation sequencing data format and visualization with ngs.plot 2015Next-generation sequencing data format and visualization with ngs.plot 2015
Next-generation sequencing data format and visualization with ngs.plot 2015Li Shen
 
Rass presentation
Rass presentationRass presentation
Rass presentationShalini Guha
 
Hs java open_party
Hs java open_partyHs java open_party
Hs java open_partyOpen Party
 
Unit v memory & programmable logic devices
Unit v memory & programmable logic devicesUnit v memory & programmable logic devices
Unit v memory & programmable logic devicesKanmaniRajamanickam
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...NETWAYS
 
A Fast and Efficient Time Series Storage Based on Apache Solr
A Fast and Efficient Time Series Storage Based on Apache SolrA Fast and Efficient Time Series Storage Based on Apache Solr
A Fast and Efficient Time Series Storage Based on Apache SolrQAware GmbH
 
Chronix: A fast and efficient time series storage based on Apache Solr
Chronix: A fast and efficient time series storage based on Apache SolrChronix: A fast and efficient time series storage based on Apache Solr
Chronix: A fast and efficient time series storage based on Apache SolrFlorian Lautenschlager
 
Rust & Apache Arrow @ RMS
Rust & Apache Arrow @ RMSRust & Apache Arrow @ RMS
Rust & Apache Arrow @ RMSAndy Grove
 

Similar to ORAM: A Brief Overview (20)

Apache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series database
 
HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
DSJ_Unit I & II.pdf
DSJ_Unit I & II.pdfDSJ_Unit I & II.pdf
DSJ_Unit I & II.pdf
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
 
Spark Summit EU talk by Qifan Pu
Spark Summit EU talk by Qifan PuSpark Summit EU talk by Qifan Pu
Spark Summit EU talk by Qifan Pu
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdf
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
Data structure and algorithm using java
Data structure and algorithm using javaData structure and algorithm using java
Data structure and algorithm using java
 
CS2: A Searchable Cryptographic Cloud Storage System
CS2: A Searchable Cryptographic Cloud Storage SystemCS2: A Searchable Cryptographic Cloud Storage System
CS2: A Searchable Cryptographic Cloud Storage System
 
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation Queries
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation QueriesOBSCURE: Information Theoretic Oblivious and Verifiable Aggregation Queries
OBSCURE: Information Theoretic Oblivious and Verifiable Aggregation Queries
 
Porting a Streaming Pipeline from Scala to Rust
Porting a Streaming Pipeline from Scala to RustPorting a Streaming Pipeline from Scala to Rust
Porting a Streaming Pipeline from Scala to Rust
 
Next-generation sequencing data format and visualization with ngs.plot 2015
Next-generation sequencing data format and visualization with ngs.plot 2015Next-generation sequencing data format and visualization with ngs.plot 2015
Next-generation sequencing data format and visualization with ngs.plot 2015
 
Rass presentation
Rass presentationRass presentation
Rass presentation
 
Hs java open_party
Hs java open_partyHs java open_party
Hs java open_party
 
Unit v memory & programmable logic devices
Unit v memory & programmable logic devicesUnit v memory & programmable logic devices
Unit v memory & programmable logic devices
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
 
A Fast and Efficient Time Series Storage Based on Apache Solr
A Fast and Efficient Time Series Storage Based on Apache SolrA Fast and Efficient Time Series Storage Based on Apache Solr
A Fast and Efficient Time Series Storage Based on Apache Solr
 
Chronix: A fast and efficient time series storage based on Apache Solr
Chronix: A fast and efficient time series storage based on Apache SolrChronix: A fast and efficient time series storage based on Apache Solr
Chronix: A fast and efficient time series storage based on Apache Solr
 
Rust & Apache Arrow @ RMS
Rust & Apache Arrow @ RMSRust & Apache Arrow @ RMS
Rust & Apache Arrow @ RMS
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 

ORAM: A Brief Overview

  • 1. + Oblivious RAM ORAM A Brief Overview Dibyendu Nath, UC Santa Barbara
  • 2. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 3. + What is ORAM ? īŽ Oblivious Random Access Machine [ORAM] īŽ A machine is oblivious if the sequence in which it accesses memory locations is equivalent for any two inputs with the same running time. īŽ E.g. For a client-server model with outsourced data storage in server, the server cannot gain info about actual memory access pattern from client requests īŽ Main Idea: Memory Access Pattern is hidden from adversary. Caveat: Assume data content is not leaked as it is protected by traditional cryptographic methods (encryption) ServerClient read(i) write(i, d) . . .
  • 4. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 5. + Motivation īŽ Rise of Cloud Computing īŽ Success of Pay-as-you-Go model for Public Clouds īŽ Affordability, Elasticity, SLA Guarantees ī‚§ Lots of “Big” Data ī‚§ Solution: Outsourced Data Storage ī‚§ Accessible from many devices (desktop, laptop, phone, car, ...). ī‚§ Greater reliability. ī‚§ May be cheaper (economy of scale). īŽ Security Concerns behind outsourcing data to Public Clouds
  • 6. + Motivation īŽ Possible Solutions īŽ Duh! Use encryption īŽ Use “trusted” public cloud services īŽ Com’on, Google is “not evil” īŽ Use private cloud infrastructure īŽ Eg. Walmart uses OpenStack īŽ Is there a way to hide how we access our data but still use public cloud infrastructure ? īŽ Answer: ORAM
  • 7. + Motivation: Example Attack CloudApp read(i) write(i, d) . . . Genuine Client Request Simulated Client Request from “trusted” Cloud provider Cloud Storage with Encrypted Content
  • 8. + Motivation: Goal īŽ “Untrusted” means: īŽ It may not implement Write/Read properly īŽ It will try to learn about data Goal: Securely Outsourcing Data - Store, access, and update data on an untrusted server. M[0]=d1 M[1]=d2 M[2]=d3 â€Ļ â€Ļ M[n]=dn read(i) write(i, d) . . . Client Remote Server [Islam et al, ‘12]
  • 9. + Motivation: Solution īŽ An ORAM emulator is an intermediate layer that protects any client (i.e. program). īŽ ORAM will issue operations that deviate from actual client requests. īŽ Correctness: īŽ If server is honest then input/ output behavior is same for client. īŽ Security: īŽ Server cannot distinguish between two clients with same running time.
  • 10. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 11. + History of ORAM īŽ Pippenger and Fischer showed “oblivious Turing machines” could simulate general Turing machines īŽ Goldreich introduced analogous notion of ORAMs in ’87 and gave first interesting construction īŽ Ostrovsky gave a more efficient construction in ’90 īŽ ... 20 years pass, time sharing systems become “clouds” ... īŽ Then a flurry of papers improving efficiency: ~10 since 2010
  • 12. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 13. + ORAM Assumptions īŽ Assumption #1: Server does not see data. īŽ Store an encryption key on emulator and re-encrypt on every read/write. īŽ Assumption #2: Server does not see op (read vs write). īŽ Every op is replaced with both a read and a write. īŽ Assumption #3: Server is honest-but-curious. īŽ Store a MAC key on emulator and sign (address, time, data) on each operation. īŽ Not malicious
  • 14. + ORAM Security after Simplification īŽ What’s left to protect is the “access pattern” of the program. īŽ Definition: The access pattern generated by a sequence (i1, ..., in) with the ORAM emulator is the random variable (j1, ... , jT) sampled while running with an honest server. īŽ Definition: An ORAM emulator is secure if for every pair of sequences of the same length, their access patterns are indistinguishable.
  • 15. + Trivial ORAMs īŽ Example #1: Store everything in ORAM simulator cache and simulate with no calls to server. īŽ Client storage = N. īŽ Example #2: Store memory on server, but scan entire memory on every operation. īŽ Amortized and worst-case communication overhead = N. īŽ Example #3: Assume client accesses each memory slot at most once, and then permute addresses using a PRP. īŽ Essentially optimal, but assumption does not hold in practice.
  • 16. + ORAM Lower Bounds īŽ Theorem (GO’90): Any ORAM emulator must perform Ί(t log t) operations to simulate t operations. īŽ Proved via a combinatorial argument. īŽ Theorem (BM’10): Any ORAM emulator must either perform Ί(t log t log log t) operations to simulate t operations or use storage Ί(N2- o(1)) (on the server).
  • 17. + ORAM Efficiency Goals īŽ In order to be interesting, an ORAM must simultaneously provide īŽ o(N) client storage īŽ o(N) amortized overhead īŽ Handling of repeated access to addresses. īŽ Desirable features for an “optimal ORAM”: īŽ O(log N) worst-case overhead īŽ O(1) client storage between operations īŽ O(1) client memory usage during operations īŽ “Stateless client”: Allows several clients who share a short key to obliviously access data w/o communicating amongst themselves between queries. Requires op counters.
  • 18. + Basic Tools: Shuffling īŽ This means we move data at address i to address Ī€(i). īŽ Proof idea: Use an oblivious sorting algorithm. For each comparison in the sort, read both positions and rewrite them, either swapping the data or not (depending on if Ī€(i) > Ī€(j)). Key Idea: Use sorting networks like Batcher or AKS, where memory accesses are independent of input Claim: Given any permutation Ī€ on {1 , ... , N}, we can permute the data according to Ī€ with a sequence of ops that does not depend on the data or Ī€.
  • 19. + Oblivious Sort: Sorting Network īŽ Sorts Fixed number of values using a Fixed Sequence of Comparisons. īŽ Perfect for Oblivious Shuffling īŽ Can be represented as networks of wires and comparator modules īŽ Values (of any ordered type) flow across the wires. E īŽ Each comparator connect two wires Batcher Sorting Network for n = 4 Time Complexity = O(N log2 N)
  • 21. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 22. + Goldreich’s “Square Root” ORAM īŽ Scan Cache from the Server īŽ If data is not in server cache, read it from main memory īŽ If data is in server cache, read next dummy slot īŽ Write data into server cache īŽ Reshuffle with new K and flush cache after every C reads. Initialization: Pick PRP key K. Use it to obliviously shuffle N data slots together with C “dummy” slots. Empty cache. N data slots C dummy slots C cache slots Server Storage: N + 2C slots [General Case] Client Storage: O(1)
  • 23. + Goldreich’s ORAM : Efficiency Taking C=N1/2 Batcher sort ⇒ extra log N factor in costs Security: Relatively easy to prove. Server sees an oblivious sort and then C unique, random looking read/writes before reinitializing.
  • 24. + Can we do Better ?
  • 25. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 26. + Ostrovsky’s “Hierarchical” ORAM [Ostrovsky ’96] īŽ Aim: Minimize Amortized cost of Random Shuffling in “Square Root” Approach īŽ Store data (including dummies) in Random-Hash Table, rather than Randomly Sorted Array and recurse carefully Main Idea: īŽ Use Hierarchy of Buffers (hash tables) of different sizes īŽ Shuffle buffers with frequency inversely proportional to their sizes Much more complicated technique for hiding repeated access to same slots.
  • 27. + Ostrovsky’s “Hierarchical” ORAM Design Server Storage â€ĸ log N “levels” for N items â€ĸ Level i contains 2i buckets â€ĸ Each buckets contains log N slots â€ĸ Each slot contains a ciphertext encrypting data or dummy. level 2 3 4 1 K 2 K3 K4 K 1 â€ĸ Data starts on lowest level into buckets, overflow happens Client Storage PRP key Ki for each level â€ĸ When accessed, data gets moved to level 1 with negligible prob. â€ĸ Eventually, data gets shuffled to lower levels â€ĸ Invariant: ≤ 2i data slots used in level i â€ĸ (i.e. ≤ 1 per bucket on average) = data PRP Keys
  • 28. + Ostrovsky’s ORAM: Read/Write Read/Write(addr) * īŽ Scan both top buckets for data īŽ At each lower level, scan exactly one bucket īŽ Until found, scan bucket at F(Ki, addr) on that level īŽ After found, scan a random bucket on that level īŽ Write data into bucket F(K1, addr) on level 1 īŽ Perform a “shuffling procedure” to maintain invariant * Server is blind to ops i.e. every op is replaced with both a read and a write (which might or might not modify the data).
  • 29. + Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys Read/Write(blue address): 1. Scan both buckets at level 1 2. Scan bucket F(K2, addr) = 4 in level 2 3. Scan F(K3, addr) = 3 in level 3 (finding data) 4. Scan a random bucket in level 5. Move found data to level 1
  • 30. + Shuffling Procedure īŽ We “merge levels” so that each level has ≤ 1 slot per bucket on average īŽ After T operations: īŽ Let D={ max x : 2x divides T } īŽ For i = 1 to D īŽ Pick new PRP key for level i+1 īŽ Shuffle data in levels i and i+1 together into level i+1 using new key īŽ Level i is shuffled after every 2i ops.
  • 31. + Shuffling: Oblivious Hashing īŽ 12-step Shuffling process with multiple calls to 2 primitives for merging level i and i+1 into i īŽ Primitives Used: īŽ Scanning: Reading all words in memory array and possibly modifying them īŽ Oblivious in the sense, order of access is predetermined and same content may be written back īŽ 7 Calls īŽ Oblivious Sorting: Sorting memory array by sorting keys using Sorting Network such that sequence of memory accesses are fixed and independent of input. īŽ 4 Calls Example of Sorting Networks: Batchers, AKS
  • 32. + Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot
  • 33. + Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot 2. Read another Slot īŽ Level 1 shuffled after 2^1 = 2 operations [stops here]
  • 34. + Ostrovsky’s ORAM in Action level 2 3 4 1 K 2 K3 K4 K 1 = data PRF Keys 1. Read a Slot 2. Read another Slot īŽ Level 1 shuffled after 2^2 = 2 operations 3. 2 more Reads īŽ Level 1 shuffled after 2^2 = 4 operations īŽ Level 2 shuffled after 2^2 = 4 operations [stops here]
  • 35. + Ostrovsky’s ORAM: Security īŽ Security proof is more delicate than the first one. īŽ Key observation: This scheme never uses the value F(Ki, addr) on the same (key, address) twice. īŽ Why? Suppose client touches for the same address twice. īŽ After the first read, data is promoted to level 1. īŽ During the next read: īŽ If it is still on level 1, then we don’t evaluate F at all. īŽ If it is has been moved, a new key must have been chosen for that level since last read due to shuffling. īŽ Using key observation, all reads look like random bucket scans.
  • 37. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 38. + Recent Developments īŽ Cuckoo Hashing ORAMs īŽ Replace bucket-lists with more efficient hash table īŽ Path ORAM Protocol īŽ Binary Tree based ORAM Framework with client stash īŽ Each block is mapped to a uniformly random leaf bucket in the tree, īŽ Unstashed blocks are always placed in some bucket along the path to the mapped leaf.
  • 39. + Outline īŽ What’s ORAM ? īŽ Motivation īŽ History īŽ More on ORAM īŽ Goldreich’s ORAM īŽ Ostrovsky’s ORAM īŽ Recent Developments īŽ Conclusion
  • 40. + Conclusion Main Takeaway īŽ Use sorting networks with PRP keys to simulate oblivious shuffling after a certain number of memory accesses īŽ Rinse and repeat Improvement īŽ Use Hierarchy of Hash table Buffers of different sizes īŽ Shuffle buffers with frequency inversely proportional to their sizes
  • 41. + References īŽ Goldreich, Oded, and Rafail Ostrovsky. "Software protection and simulation on oblivious RAMs." Journal of the ACM (JACM) 43.3 (1996): 431-473. īŽ Islam, Mohammad Saiful, Mehmet Kuzu, and Murat Kantarcioglu. "Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation." NDSS. Vol. 20. 2012. īŽ http://cseweb.ucsd.edu/~cdcash/oram-slides.pdf

Editor's Notes

  1. Assuming data is randomly put into buckets, overflow happens with negligible prob.