Oblivious RAM (ORAM)
Oblivious RAM (ORAM) was first introduced by [GO96]. It is a primitive that provides a generic compilation of any random-access memory (RAM) program to one which hides the accesses pattern of the underlying RAM.
Note: Oblivious RAM schemes can provide statistical or unconditional security against adveraries who only know which array indices are accessed. However, in practice one almost always needs to deploy ORAM together with standard symmetric encryption.
Formal Definition
Throughout, we use the following notation. All oblivious RAM schemes are defined with respect to a key space , state space , virtual array size and blocks , and physical array size and blocks . We additionally assume and .
Furthermore, we define the sets . These are the allowed opertations for the virtual array () and the physical array ().
Syntax
An -round Oblivious RAM (ORAM) is a tuple of efficient functions such that:
- , is a randomized algorithm that takes a security parameter, and outputs a key ,
- , is a deterministic algorithm for the th round fo the ORAM's operation that takes as input a key, a virtual operation, and a state, and outputs zero or more physical read operations. (for
- is a deterministic algorithm for the final output of the ORAM operation processing, which takes as input a key, a virtual operation, and a state, and outputs a virtual block (or ), zero or more write operations, and an updated state.
TODO typical use of the above functions
Security
An ORAM is secure if for all efficient , there exists a negligible function , such that
Impossibilities
- It is known that any Oblivious RAM over an array of elements must incur amortized overhead blow-up. Due to [GO96] and [LN18].
- It is known that any one-round balls-in-bins ORAM must have overhead or storage. Due to [CDH20]