Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, Enoch Peserico, Elaine Shi
{"title":"OptORAMa:最佳遗忘内存","authors":"Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, Enoch Peserico, Elaine Shi","doi":"https://dl.acm.org/doi/10.1145/3566049","DOIUrl":null,"url":null,"abstract":"<p>Oblivious RAM (ORAM), first introduced in the ground-breaking work of Goldreich and Ostrovsky (STOC ’87 and J. ACM ’96) is a technique for provably obfuscating programs’ access patterns, such that the access patterns leak no information about the programs’ secret inputs. To compile a general program to an oblivious counterpart, it is well-known that Ω (log <i>N</i>) amortized blowup in memory accesses is necessary, where <i>N</i> is the size of the logical memory. This was shown in Goldreich and Ostrovksy’s original ORAM work for statistical security and in a somewhat restricted model (the so-called <i>balls-and-bins</i> model), and recently by Larsen and Nielsen (CRYPTO ’18) for computational security.</p><p>A long-standing open question is whether there exists an <i>optimal</i> ORAM construction that matches the aforementioned logarithmic lower bounds (without making large memory word assumptions, and assuming a constant number of CPU registers). In this article, we resolve this problem and present the first secure ORAM with <i>O</i>(log <i>N</i>) amortized blowup, assuming one-way functions. Our result is inspired by and non-trivially improves on the recent beautiful work of Patel et al. (FOCS ’18) who gave a construction with <i>O</i>(log <i>N</i>⋅ log log <i>N</i>) amortized blowup, assuming one-way functions. </p><p>One of our building blocks of independent interest is a linear-time deterministic oblivious algorithm for tight compaction: Given an array of <i>n</i> elements where some elements are marked, we permute the elements in the array so that all marked elements end up in the front of the array. Our <i>O</i>(<i>n</i>) algorithm improves the previously best-known deterministic or randomized algorithms whose running time is <i>O</i>(<i>n</i> ⋅ log <i>n</i>) or <i>O</i>(<i>n</i> ⋅ log log <i>n</i>), respectively.</p>","PeriodicalId":50022,"journal":{"name":"Journal of the ACM","volume":"22 4","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2022-12-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"OptORAMa: Optimal Oblivious RAM\",\"authors\":\"Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, Enoch Peserico, Elaine Shi\",\"doi\":\"https://dl.acm.org/doi/10.1145/3566049\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>Oblivious RAM (ORAM), first introduced in the ground-breaking work of Goldreich and Ostrovsky (STOC ’87 and J. ACM ’96) is a technique for provably obfuscating programs’ access patterns, such that the access patterns leak no information about the programs’ secret inputs. To compile a general program to an oblivious counterpart, it is well-known that Ω (log <i>N</i>) amortized blowup in memory accesses is necessary, where <i>N</i> is the size of the logical memory. This was shown in Goldreich and Ostrovksy’s original ORAM work for statistical security and in a somewhat restricted model (the so-called <i>balls-and-bins</i> model), and recently by Larsen and Nielsen (CRYPTO ’18) for computational security.</p><p>A long-standing open question is whether there exists an <i>optimal</i> ORAM construction that matches the aforementioned logarithmic lower bounds (without making large memory word assumptions, and assuming a constant number of CPU registers). In this article, we resolve this problem and present the first secure ORAM with <i>O</i>(log <i>N</i>) amortized blowup, assuming one-way functions. Our result is inspired by and non-trivially improves on the recent beautiful work of Patel et al. (FOCS ’18) who gave a construction with <i>O</i>(log <i>N</i>⋅ log log <i>N</i>) amortized blowup, assuming one-way functions. </p><p>One of our building blocks of independent interest is a linear-time deterministic oblivious algorithm for tight compaction: Given an array of <i>n</i> elements where some elements are marked, we permute the elements in the array so that all marked elements end up in the front of the array. Our <i>O</i>(<i>n</i>) algorithm improves the previously best-known deterministic or randomized algorithms whose running time is <i>O</i>(<i>n</i> ⋅ log <i>n</i>) or <i>O</i>(<i>n</i> ⋅ log log <i>n</i>), respectively.</p>\",\"PeriodicalId\":50022,\"journal\":{\"name\":\"Journal of the ACM\",\"volume\":\"22 4\",\"pages\":\"\"},\"PeriodicalIF\":2.3000,\"publicationDate\":\"2022-12-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of the ACM\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/https://dl.acm.org/doi/10.1145/3566049\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the ACM","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3566049","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
Oblivious RAM (ORAM), first introduced in the ground-breaking work of Goldreich and Ostrovsky (STOC ’87 and J. ACM ’96) is a technique for provably obfuscating programs’ access patterns, such that the access patterns leak no information about the programs’ secret inputs. To compile a general program to an oblivious counterpart, it is well-known that Ω (log N) amortized blowup in memory accesses is necessary, where N is the size of the logical memory. This was shown in Goldreich and Ostrovksy’s original ORAM work for statistical security and in a somewhat restricted model (the so-called balls-and-bins model), and recently by Larsen and Nielsen (CRYPTO ’18) for computational security.
A long-standing open question is whether there exists an optimal ORAM construction that matches the aforementioned logarithmic lower bounds (without making large memory word assumptions, and assuming a constant number of CPU registers). In this article, we resolve this problem and present the first secure ORAM with O(log N) amortized blowup, assuming one-way functions. Our result is inspired by and non-trivially improves on the recent beautiful work of Patel et al. (FOCS ’18) who gave a construction with O(log N⋅ log log N) amortized blowup, assuming one-way functions.
One of our building blocks of independent interest is a linear-time deterministic oblivious algorithm for tight compaction: Given an array of n elements where some elements are marked, we permute the elements in the array so that all marked elements end up in the front of the array. Our O(n) algorithm improves the previously best-known deterministic or randomized algorithms whose running time is O(n ⋅ log n) or O(n ⋅ log log n), respectively.
期刊介绍:
The best indicator of the scope of the journal is provided by the areas covered by its Editorial Board. These areas change from time to time, as the field evolves. The following areas are currently covered by a member of the Editorial Board: Algorithms and Combinatorial Optimization; Algorithms and Data Structures; Algorithms, Combinatorial Optimization, and Games; Artificial Intelligence; Complexity Theory; Computational Biology; Computational Geometry; Computer Graphics and Computer Vision; Computer-Aided Verification; Cryptography and Security; Cyber-Physical, Embedded, and Real-Time Systems; Database Systems and Theory; Distributed Computing; Economics and Computation; Information Theory; Logic and Computation; Logic, Algorithms, and Complexity; Machine Learning and Computational Learning Theory; Networking; Parallel Computing and Architecture; Programming Languages; Quantum Computing; Randomized Algorithms and Probabilistic Analysis of Algorithms; Scientific Computing and High Performance Computing; Software Engineering; Web Algorithms and Data Mining