Oblivious RAM (ORAM): Difference between revisions
(Created page with "<noinclude> Category:Primitives Category:Unconditional Category:Minicrypt Oblivious RAM (ORAM) was first introduced by [GO96]. It is a primitive that provides a generic compilation of any random-access memory (RAM) program to one which hides the accesses pattern of the underlying RAM. '''Note:''' Oblivious RAM schemes can provide statistical or unconditional security against adveraries who only know which array indices are accessed. H...") |
(→Syntax) |
||
(One intermediate revision by the same user not shown) | |||
Line 19: | Line 19: | ||
* <math>\mathsf{Out}: \mathcal{B}_2^* \times \mathsf{KSp}\times \mathsf{Ops}_1 \times \mathsf{StSp} \times \to (\mathcal{B}_1 \cup \{\bot\}) \times \mathsf{WrOps}_2^* \times \mathsf{StSp}</math> is a deterministic algorithm for the final output of the ORAM operation processing, which takes as input a key, a virtual operation, and a state, and outputs a virtual block (or <math>\bot</math>), zero or more write operations, and an updated state. | * <math>\mathsf{Out}: \mathcal{B}_2^* \times \mathsf{KSp}\times \mathsf{Ops}_1 \times \mathsf{StSp} \times \to (\mathcal{B}_1 \cup \{\bot\}) \times \mathsf{WrOps}_2^* \times \mathsf{StSp}</math> is a deterministic algorithm for the final output of the ORAM operation processing, which takes as input a key, a virtual operation, and a state, and outputs a virtual block (or <math>\bot</math>), zero or more write operations, and an updated state. | ||
The above functions describe the processing of the Oblivious RAM query. They are used in the following way to process a query at index <math>i</math>, for a physical array <math>M_2</math>: | |||
<center><math> | |||
\begin{array}{l} \underline{\mathsf{Access}(k,\mathsf{op},\mathsf{st})} \\ | |||
d_r \gets \bot\\ | |||
\text{For } i=1,\ldots,r:\\ | |||
\quad \mathsf{rds} \gets \mathsf{rds} \cup \mathsf{Access}_i(d_r,k,\mathsf{op},\mathsf{st})\\ | |||
\quad d_r \gets M_2[\mathsf{rds}]\\ | |||
\text{Return } \mathsf{rds} | |||
\end{array} | |||
</math></center> | |||
=== Correctness === | |||
=== Security === | === Security === | ||
Line 26: | Line 37: | ||
TODO | TODO | ||
</math></center> | </math></center> | ||
== Impossibilities == | == Impossibilities == |
Latest revision as of 02:19, 25 July 2024
Oblivious RAM (ORAM) was first introduced by [GO96]. It is a primitive that provides a generic compilation of any random-access memory (RAM) program to one which hides the accesses pattern of the underlying RAM.
Note: Oblivious RAM schemes can provide statistical or unconditional security against adveraries who only know which array indices are accessed. However, in practice one almost always needs to deploy ORAM together with standard symmetric encryption.
Formal Definition
Throughout, we use the following notation. All oblivious RAM schemes are defined with respect to a key space , state space , virtual array size and blocks , and physical array size and blocks . We additionally assume and .
Furthermore, we define the sets . These are the allowed opertations for the virtual array () and the physical array ().
Syntax
An -round Oblivious RAM (ORAM) is a tuple of efficient functions such that:
- , is a randomized algorithm that takes a security parameter, and outputs a key ,
- , is a deterministic algorithm for the th round fo the ORAM's operation that takes as input a key, a virtual operation, and a state, and outputs zero or more physical read operations. (for
- is a deterministic algorithm for the final output of the ORAM operation processing, which takes as input a key, a virtual operation, and a state, and outputs a virtual block (or ), zero or more write operations, and an updated state.
The above functions describe the processing of the Oblivious RAM query. They are used in the following way to process a query at index , for a physical array :
Correctness
Security
An ORAM is secure if for all efficient , there exists a negligible function , such that
Impossibilities
- It is known that any Oblivious RAM over an array of elements must incur amortized overhead blow-up. Due to [GO96] and [LN18].
- It is known that any one-round balls-in-bins ORAM must have overhead or storage. Due to [CDH20]