RevisitingSquareRootORAMEfficientRandomAccessinMulti-PartyComputation

SameeZahurJackDoernerDavidEvans

XiaoWangJonathanKatz

MarianaRaykova Adrià Gascón

oblivc.org/sqoram

Securemulti-partycomputationapplications

Setintersection[FNP04]

Linearridge-regression[NWIJBT13]

Mediancomputation[AMP04]

Iriscodematching[LCPLB12]

Matrixfactorizationforrecommendations

[NIWJTB13]

RandomAccess

Hidingaccesspattern

Linearscan

AccesseveryelementPer-accesscost:Θ 𝑛

ObliviousRAM

ContinuallyshuffleelementsaroundPer-accesscost:Θ(log'𝑛)

Figurefrom:Wang,Chan,Shi.CircuitOram.CCS’15

Linearscan

6

(our work)

Approach:revisitoldschemes

Classic“squareroot”schemebyGoldreich andOstrovsky (1996).

ConsideredslowforMPCbecauseofper-accesshashevaluation.

Per-accessamortizedcost:Θ 𝑛� log𝑛

Four-elementORAM LargerSizes

4-BlockORAM

Cost:5𝐵 +𝐵+2𝐵+3𝐵 +…=11𝐵 every3accesses

Comparison

Linearscan

Cost:4𝐵 =12𝐵/3

Ourscheme

Cost:11𝐵/3

Four-elementORAM LargerSizes

Positionmap

3 0 2 1

0 1 2 3

1 3 0 2

0 1 2 3

Creatingpositionmap

Creatingpositionmap

Inversepermutation

𝜋C

𝑝

𝜋C ⋅ 𝑝𝜋F = 𝜋C ⋅ 𝑝

Inversepermutation

𝜋CBobcomputes𝜋FLM = 𝑝LM ⋅ 𝜋CLM

𝜋C

𝜋FLM ⋅ 𝜋C= 𝑝LM ⋅ 𝜋CLM ⋅ 𝜋C= 𝑝LM

𝜋F = 𝜋C ⋅ 𝑝

𝜋F

Rinseandrepeat

1. Shuffleelements2. Recreatepositionmap3. Service𝑇 = 𝑛 log𝑛� accesses

Accesstime

Initializationcost

Benchmarks

Task Parameters Linearscan CircuitORAM

Square-rootORAM

Binarysearch 210 searches215 elements 1020s 5041s 825s

Breadth-firstsearch

210 vertices213 edges 4570s 3750s 680s

Stablematching 29 pairs - 189000s 119000sscrypt hashing N =214 ≈7days 2850s 1920s

Conclusion

Werevisitedawell-knownschemeanduseditto• Lowerinitializationcost• Improvebreakevenpoint

Showsthatasymptoticcostsarenotthefinalword,concretecostsrequiremoreconsideration.

Download

oblivc.org/sqoram

Contactforhelp:SameeZahur <samee@virginia.edu>