Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj...
Transcript of Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj...
![Page 1: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/1.jpg)
Improving Oblivious RAM Protocol through Novel Eviction and Access Strategies
Akiva Gordon and Krishna Suraj Mentor: Ling Ren
![Page 2: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/2.jpg)
Overview
1. Background a. Definition of ORAM b. Previous ORAMs
2. Path ORAM II (Ring) 3. Future Directions
a. Onion ORAM b. Optimization and Improvement
![Page 3: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/3.jpg)
What is an ORAM?
● Oblivious Random Access Memory ● Trusted client, untrusted server Desired Specifications: ● All accesses must be hidden ● Ideally a usable product with reasonable runtimes
![Page 4: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/4.jpg)
Why is access pattern important?
● Information can be gained from data access pattern o frequently accessed files are considered more
important o financial data, medical information
![Page 5: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/5.jpg)
Background
a b c d e f
a b c d e f
Encryption:
![Page 6: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/6.jpg)
d c e a f y z b
Goldreich 1987 ORAM
d b c e
a f x y z
Server Client
a c d e f x y z b
x
b
x
![Page 7: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/7.jpg)
Problems with Goldreich Approach
● It’s still very inefficient - complexity O(√N) ● Shuffling is also inefficient ● With large amounts of data, it’s virtually
unusable
![Page 8: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/8.jpg)
Path ORAM Overview
![Page 9: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/9.jpg)
Path ORAM: Access Stash
![Page 10: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/10.jpg)
Path ORAM: Eviction Stash
![Page 11: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/11.jpg)
Path ORAM: Overall
● Much more efficient: O(log N) ● Still can be improved...
![Page 12: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/12.jpg)
Path ORAM II: Ring ORAM
![Page 13: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/13.jpg)
Ring ORAM: Overview
● Improvement on Path ORAM ● Improves by:
o Decreasing bandwidth o Improve eviction quality
![Page 14: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/14.jpg)
Ring ORAM: Buckets
● Use Goldreich Approach:
Path ORAM
Bucket
Ring ORAM
Bucket
D D
![Page 15: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/15.jpg)
Ring ORAM: Access Stash
D D
D D
D D
![Page 16: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/16.jpg)
Ring ORAM: Eviction
Two Changes from Path ORAM:
● Only evict every Ath Access
● Evict along more efficient path
![Page 17: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/17.jpg)
Optimized Eviction Paths
![Page 18: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/18.jpg)
Our Ring ORAM Results
Z-value: 5 ORAM size: 127 Ring ORAM speed: 0.021916 Final Stash Size: 4
![Page 19: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/19.jpg)
Table of Efficiencies ORAM Protocol Bandwidth Efficiency
Naive Linear Scan O(N)
Goldreich (1987) O(√N)
Path (2013) O(lg N) (~8 lg N)
Ring (2014) O(lg N) (~3 lg N)
????? O(1)
![Page 20: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/20.jpg)
FUTURE WORK
![Page 21: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/21.jpg)
Onion Oram
![Page 22: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/22.jpg)
Onion ORAM Details
● Breaks log N bound
● Server computation
![Page 23: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/23.jpg)
Onion ORAM: Overview
● Server computes on encrypted data ● How?
o Additive Homomorphic Encryption o Guaranteed progress of blocks
![Page 24: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/24.jpg)
Onion ORAM protocol
E(0 1 0 0 0 0)
Data!
![Page 25: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/25.jpg)
Onion ORAM layers
● Many layers of encryption ● Bounding layers is key ● Eviction - move all blocks to leaf
![Page 26: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/26.jpg)
Onion ORAM efficiency
● Bandwidth cost: Constant order - O(b) ● Server Computation: O(B λ log N) ● Very Costly!
![Page 27: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/27.jpg)
Optimizations and Improvements
● Onion ORAM multi-eviction ● Skipping layers in eviction phase ● NTRU vs Damgård-Jurik
![Page 28: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/28.jpg)
Acknowledgements • Our mentor, Ling Ren for his continuous help and guidance throughout the
course of our research
• Professor Srini Devadas for his suggestion of our project and his assistance with
our presentation
• Ethan Zou and Nathan Wolfe for Path ORAM code
• Everyone at MIT PRIMES for the opportunity to conduct world-class research
• Our parents for their support throughout the entire research process
![Page 29: Akiva Gordon and Krishna Suraj Mentor: Ling Ren · 2015-05-18 · Akiva Gordon and Krishna Suraj Mentor: Ling Ren . Overview 1. Background a. Definition of ORAM b. Previous ORAMs](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f314a89fdc12b2acc1ebc9d/html5/thumbnails/29.jpg)
Table of Efficiencies ORAM Protocol Bandwidth Efficiency
Naive Linear Scan O(N)
Goldreich (1987) O(√N)
Path (2013) O(lg N) (~8 lg N)
Ring (2014) O(lg N) (~3 lg N)
Onion (2015) O(1) constant