Oblivious RAM (ORAM): Difference between revisions

Oblivious RAM (ORAM) was first introduced by [GO96]. It is a primitive that provides a generic compilation of any random-access memory (RAM) program to one which hides the accesses pattern of the underlying RAM.

Note: Oblivious RAM schemes can provide statistical or unconditional security against adveraries who only know which array indices are accessed. However, in practice one almost always needs to deploy ORAM together with standard symmetric encryption.

Formal Definition

Throughout, we use the following notation. All oblivious RAM schemes are defined with respect to a key space ${\displaystyle {\mathsf {KSp}}}$, state space ${\displaystyle {\mathsf {StSp}}}$, virtual array size ${\displaystyle N_{1}}$ and blocks ${\displaystyle {\mathcal {B}}_{1}}$, and physical array size ${\displaystyle N_{2}}$ and blocks ${\displaystyle {\mathcal {B}}_{2}}$. We additionally assume ${\displaystyle \bot \in {\mathsf {StSp}}}$ and ${\displaystyle \bot \not \in {\mathcal {B}}_{1}}$.

Furthermore, we define the sets ${\displaystyle {\mathsf {RdOps}}_{j}=[N_{j}],{\mathsf {WrOps}}_{j}=[N_{j}]\times {\mathcal {B}}_{j},{\text{ and }}{\mathsf {Ops}}_{j}={\mathsf {RdOps}}_{j}\cup {\mathsf {WrOps}}_{j}}$. These are the allowed opertations for the virtual array (${\displaystyle j=1}$) and the physical array (${\displaystyle j=2}$).

Syntax

An ${\displaystyle r}$-round Oblivious RAM (ORAM) is a tuple of efficient functions ${\displaystyle ({\mathsf {Gen}},{\mathsf {Access}}_{1},\ldots ,{\mathsf {Access}}_{r},{\mathsf {Out}})}$ such that:

• ${\displaystyle {\mathsf {Gen}}(1^{\lambda })\to k}$, is a randomized algorithm that takes a security parameter, and outputs a key ${\displaystyle k\in {\mathsf {KSp}}}$,
• ${\displaystyle {\mathsf {Access}}_{i}:{\mathcal {B}}_{2}^{*}\times {\mathsf {KSp}}\times {\mathsf {Ops}}_{1}\times {\mathsf {StSp}}\times \to {\mathsf {RdOps}}_{2}^{*}}$, is a deterministic algorithm for the ${\displaystyle i}$th round fo the ORAM's operation that takes as input a key, a virtual operation, and a state, and outputs zero or more physical read operations. (for ${\displaystyle i=1,\ldots ,r)}$
• ${\displaystyle {\mathsf {Out}}:{\mathcal {B}}_{2}^{*}\times {\mathsf {KSp}}\times {\mathsf {Ops}}_{1}\times {\mathsf {StSp}}\times \to ({\mathcal {B}}_{1}\cup \{\bot \})\times {\mathsf {WrOps}}_{2}^{*}\times {\mathsf {StSp}}}$ is a deterministic algorithm for the final output of the ORAM operation processing, which takes as input a key, a virtual operation, and a state, and outputs a virtual block (or ${\displaystyle \bot }$), zero or more write operations, and an updated state.

The above functions describe the processing of the Oblivious RAM query. They are used in the following way to process a query at index ${\displaystyle i}$:

Correctness

Security

An ORAM is secure if for all efficient ${\displaystyle D}$, there exists a negligible function ${\displaystyle \nu }$, such that

${\displaystyle TODO}$

Impossibilities

• It is known that any Oblivious RAM over an array of ${\displaystyle n}$ elements must incur ${\displaystyle \Omega (\log n)}$ amortized overhead blow-up. Due to [GO96] and [LN18].
• It is known that any one-round balls-in-bins ORAM must have ${\displaystyle \Omega ({\sqrt {n}})}$ overhead or storage. Due to [CDH20]

Variations

• Oblivious Parallel RAM (OPRAM)
• Oblivious Single-Access Machines (OSAM)