revisiting square root oram - ieee-security.org · benchmarks task parameters linear scan circuit...
TRANSCRIPT
RevisitingSquareRootORAMEfficientRandomAccessinMulti-PartyComputation
SameeZahurJackDoernerDavidEvans
XiaoWangJonathanKatz
MarianaRaykova Adrià Gascón
oblivc.org/sqoram
Securemulti-partycomputationapplications
Setintersection[FNP04]
Linearridge-regression[NWIJBT13]
Mediancomputation[AMP04]
Iriscodematching[LCPLB12]
Matrixfactorizationforrecommendations
[NIWJTB13]
RandomAccess
Hidingaccesspattern
Linearscan
AccesseveryelementPer-accesscost:Θ 𝑛
ObliviousRAM
ContinuallyshuffleelementsaroundPer-accesscost:Θ(log'𝑛)
Figurefrom:Wang,Chan,Shi.CircuitOram.CCS’15
Linearscan
6
(our work)
Approach:revisitoldschemes
Classic“squareroot”schemebyGoldreich andOstrovsky (1996).
ConsideredslowforMPCbecauseofper-accesshashevaluation.
Per-accessamortizedcost:Θ 𝑛� log𝑛
Four-elementORAM LargerSizes
4-BlockORAM
Cost:5𝐵 +𝐵+2𝐵+3𝐵 +…=11𝐵 every3accesses
Comparison
Linearscan
Cost:4𝐵 =12𝐵/3
Ourscheme
Cost:11𝐵/3
Four-elementORAM LargerSizes
Positionmap
3 0 2 1
0 1 2 3
1 3 0 2
0 1 2 3
Creatingpositionmap
Creatingpositionmap
Inversepermutation
𝜋C
𝑝
𝜋C ⋅ 𝑝𝜋F = 𝜋C ⋅ 𝑝
Inversepermutation
𝜋CBobcomputes𝜋FLM = 𝑝LM ⋅ 𝜋CLM
𝜋C
𝜋FLM ⋅ 𝜋C= 𝑝LM ⋅ 𝜋CLM ⋅ 𝜋C= 𝑝LM
𝜋F = 𝜋C ⋅ 𝑝
𝜋F
Rinseandrepeat
1. Shuffleelements2. Recreatepositionmap3. Service𝑇 = 𝑛 log𝑛� accesses
Accesstime
Initializationcost
Benchmarks
Task Parameters Linearscan CircuitORAM
Square-rootORAM
Binarysearch 210 searches215 elements 1020s 5041s 825s
Breadth-firstsearch
210 vertices213 edges 4570s 3750s 680s
Stablematching 29 pairs - 189000s 119000sscrypt hashing N =214 ≈7days 2850s 1920s
Conclusion
Werevisitedawell-knownschemeanduseditto• Lowerinitializationcost• Improvebreakevenpoint
Showsthatasymptoticcostsarenotthefinalword,concretecostsrequiremoreconsideration.