Revisiting Square Root ORAM - DIMACSdimacs.rutgers.edu/Workshops/RAM/Slides/zahur.pdfBenchmarks Task...

Revisiting Square Root ORAM Efficient Random Access in Multi-Party Computation

Samee ZahurJack DoernerDavid Evans

Xiao WangJonathan Katz

Mariana Raykova Adrià Gascón

oblivc.org/sqoram

Secure multi-party computation applications

Set intersection [FNP04]

Linear ridge-regression [NWIJBT13]

Median computation [AMP04]

Iris code matching [LCPLB12]

Matrix factorization for recommendations

[NIWJTB13]

Random Access

Hiding access pattern

Linear scan

Access every element

Per-access cost: Θ 𝑛

Oblivious RAM

Continually shuffle elements around

Per-access cost: Θ(log𝑝 𝑛)

Figure from: Wang, Chan, Shi. Circuit Oram. CCS’15

Linear scan

(our work)

Approach: revisit old schemes

Classic “square root” scheme by Goldreich and Ostrovsky (1996).

Considered slow for MPC because of per-access hash evaluation.

Per-access amortized cost: Θ 𝑛 log 𝑛

Four-element ORAM Larger Sizes

4-Block ORAM

Cost: 5𝐵 + 𝐵 +2𝐵 +3𝐵 + …

= 11𝐵 every 3 accesses

Comparison

Linear scan

Cost: 4𝐵 = 12𝐵/3

Our scheme

Cost: 11𝐵/3

Four-element ORAM Larger Sizes

Position map

3 0 2 1

0 1 2 3

1 3 0 2

0 1 2 3

Keeping position map updated

Position map

Keeping position map updated

Position map

Rinse and repeat

1. Shuffle elements

2. Recreate position map

3. Service 𝑇 = 𝑛 log 𝑛 accesses

Creating position map

Inverse permutation

𝜋𝐴

𝜋𝐴 ⋅ 𝑝𝜋𝐵 = 𝜋𝐴 ⋅ 𝑝

Inverse permutation

𝜋𝐴

Bob computes𝜋𝐵

−1 = 𝑝−1 ⋅ 𝜋𝐴−1

𝜋𝐴

𝜋𝐵−1 ⋅ 𝜋𝐴

= 𝑝−1 ⋅ 𝜋𝐴−1 ⋅ 𝜋𝐴

= 𝑝−1

𝜋𝐵 = 𝜋𝐴 ⋅ 𝑝

𝜋𝐵

Rinse and repeat

1. Shuffle elements

2. Recreate position map

3. Service 𝑇 = 𝑛 log 𝑛 accesses

at Θ 𝑛 log 𝑛

Access time

Initialization cost

Benchmarks

Task Parameters Linear scanCircuit ORAM

Square-root ORAM

Binary search210 searches215 elements 1020 s 5041 s 825 s

Breadth-firstsearch

210 vertices213 edges 4570 s 3750 s 680 s

Stable matching 29 pairs - 189000 s 119000 s

scrypt hashing N = 214 ≈ 7 days 2850 s 1920 s

Conclusion

We revisited a well-known scheme and used it to

• Lower initialization cost

• Improve breakeven point

Shows that asymptotic costs are not the final word, concrete costs require more consideration.

Download

oblivc.org/sqoram

Contact for help:Samee Zahur <samee@virginia.edu>

Revisiting Square Root ORAM - DIMACSdimacs.rutgers.edu/Workshops/RAM/Slides/zahur.pdfBenchmarks Task...

Documents

Transcript of Revisiting Square Root ORAM - DIMACSdimacs.rutgers.edu/Workshops/RAM/Slides/zahur.pdfBenchmarks Task...

Square Root of 2

Algebra1 Square-Root Functions

ALLIGATION AND MIXTURE (P -1) Gr8AmbitionZ · PDF fileSQUARE ROOT AND CUBE ROOT GENERAL QUESTIONS:- Gr8AmbitionZ. SQUARE ROOT AND CUBE ROOT Gr8AmbitionZ. SQUARE ROOT AND CUBE ROOT

Square Root SAM -

Square Root Formula - ddjudge.com

Vocabulary perfect square square root radical sign.

A better write-only oblivious RAM - United States Naval ... · 1 “Square Root” ORAM (Goldreich & Ostrovsky ’96) 2 Path ORAM (Stefanov, Shi et al ’12) 3 Write-Only ORAM (Blass,

Radical (Square Roots) Algebra I. What is a radical? An expression that uses a root, such as square root, cube root.

Graphing Square Root Functionsw

8.1 Square Roots and the Pythagorean Theorem. Square Root.

Simplifying Square Root Expressions

6.5 - Graphing Square Root and Cube Root Functions.

Square Root of Operator

Improving Goldschmidt Division, Square Root and Square - HAL

Revisiting Square Root ORAM - ieee-security.org · Benchmarks Task Parameters Linear scan Circuit ORAM Square-root ORAM Binary search 210 searches 215 elements 1020 s 5041 s 825 s

SQUARE-SQUARE ROOT AND CUBE-CUBE ROOT - NCERT · PDF fileSQUARE-SQUARE ROOT AND CUBE-CUBE ROOT (A) ... Think and Discuss 1. ... Write a pythagorean triplet whose smallest number is

Graphing Square Root and Cube Root Functions Section 7.5.

Square Root SAM

Students will be able to estimate a square root, simplify a square root, and add and multiply square roots.

Square & Sq. Root