Recursive Trees for Practical ORAM

  • 1 Dept. of Computer Science, Colorado State University, Fort Collins, CO, and IMT, Telecom Bretagne, France
  • 2 Airbus Group Innovations, 81663 Munich, Germany
  • 3 College of Computer and Information Science, Northeastern University, Boston, MA


We present a new, general data structure that reduces the communication cost of recent tree-based ORAMs. Contrary to ORAM trees with constant height and path lengths, our new construction r-ORAM allows for trees with varying shorter path length. Accessing an element in the ORAM tree results in different communication costs depending on the location of the element. The main idea behind r-ORAM is a recursive ORAM tree structure, where nodes in the tree are roots of other trees. While this approach results in a worst-case access cost (tree height) at most as any recent tree-based ORAM, we show that the average cost saving is around 35% for recent binary tree ORAMs. Besides reducing communication cost, r-ORAM also reduces storage overhead on the server by 4% to 20% depending on the ORAM’s client memory type. To prove r-ORAM’s soundness, we conduct a detailed overflow analysis. r-ORAM’s recursive approach is general in that it can be applied to all recent tree ORAMs, both constant and poly-log client memory ORAMs. Finally, we implement and benchmark r-ORAM in a practical setting to back up our theoretical claims.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] D. Boneh, D. Mazières, and R.A. Popa. Remote oblivious storage: Making oblivious RAM practical, 2011.

  • [2] K. Brown. Balls in bins with limited capacity, 2014.

  • [3] G. Casella and R.L. Berger. Statistical inference. Duxbury advanced series in statistics and decision sciences. Thomson Learning, 2002. ISBN 9780534243128.

  • [4] K.-M. Chung and R. Pass. A Simple ORAM. IACR Cryptology ePrint Archive, 2013:243, 2013.

  • [5] I. Damgård, S. Meldgaard, and J.B. Nielsen. Perfectly Secure Oblivious RAM without Random Oracles. In Proceedings of Theory of Cryptography Conference –TCC, pages 144–163, Providence, USA, March 2011.

  • [6] Srinivas Devadas, Marten van Dijk, Christopher W. Fletcher, and Ling Ren. Onion ORAM: A constant bandwidth and constant client storage ORAM (without FHE or SWHE). IACR Cryptology ePrint Archive, 2015:5, 2015.

  • [7] Christopher W. Fletcher, Ling Ren, Albert Kwon, Marten van Dijk, Emil Stefanov, and Srinivas Devadas. RAW Path ORAM: A Low-Latency, Low-Area Hardware ORAM Controller with Integrity Verification. IACR Cryptology ePrint Archive, 2014:431, 2014.

  • [8] Craig Gentry, Kenny A. Goldman, Shai Halevi, Charanjit S. Jutla, Mariana Raykova, and Daniel Wichs. Optimizing ORAM and Using It Efficiently for Secure Computation. In Proceedings of Privacy Enhancing Technologies, pages 1–18, 2013.

  • [9] O. Goldreich. Towards a Theory of Software Protection and Simulation by Oblivious RAMs. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing –STOC, pages 182–194, New York, USA, 1987.

  • [10] Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious rams. J. ACM, 43(3):431–473, May 1996. ISSN 0004-5411. 10.1145/233551.233553. URL

  • [11] M.T. Goodrich and M. Mitzenmacher. Privacy-preserving access of outsourced data via oblivious ram simulation. In Proceedings of Automata, Languages and Programming –ICALP, pages 576–587, Zurick, Switzerland, 2011.

  • [12] M.T. Goodrich, M. Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. Oblivious ram simulation with efficient worst-case access overhead. In Proceedings of the 3rd ACM Cloud Computing Security Workshop –CCSW, pages 95–100, Chicago, USA, 2011.

  • [13] M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Privacy-preserving group data access via stateless oblivious RAM simulation. In Proceedings of the Symposium on Discrete Algorithms –SODA, pages 157–167, Kyoto, Japan, 2012.

  • [14] Google. A new approach to China, 2010.

  • [15] D. Gross. 50 million compromised in Evernote hack, 2013.

  • [16] J Hsu and P Burke. Behavior of tandem buffers with geometric input and markovian output. Communications, IEEE Transactions on, 24(3):358–361, 1976.

  • [17] L. Kleinrock. Theory, Volume 1, Queueing Systems. Wiley-Interscience, 1975. ISBN 0471491101.

  • [18] E. Kushilevitz, S. Lu, and R. Ostrovsky. On the (in)security of hash-based oblivious ram and a new balancing scheme. In Proceedings of the Symposium on Discrete Algorithms–SODA, pages 143–156, Kyoto, Japan, 2012.

  • [19] Eyal Kushilevitz and Rafail Ostrovsky. Replication is not needed: Single database, computationally-private information retrieval. In Proceedings of Foundations of Computer Science –FOCS, pages 364–373, Miami Beach, USA, 1997.

  • [20] T. Mayberry, E.-O. Blass, and A.H. Chan. Path-pir: Lower worst-case bounds by combining oram and pir. In Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2014.

  • [21] T. Moataz, T. Mayberry, E.-O. Blass, and A.H. Chan. Resizable Tree-Based Oblivious RAM. In Proceedings of Financial Cryptography and Data Security, Puerto Rico, USA, 2015.

  • [22] R. Ostrovsky. Efficient computation on oblivious rams. In Proceedings of the Symposium on Theory of Computing–STOC, pages 514–523, Baltimore, USA, 1990.

  • [23] R. Ostrovsky and V. Shoup. Private information storage (extended abstract). In Proceedings of the Symposium on Theory of Computing –STOC, pages 294–303, El Paso, USA, 1997.

  • [24] PASMAC. r-ORAM source code, 2015.

  • [25] B. Pinkas and T. Reinman. Oblivious ram revisited. In Advances in Cryptology – CRYPTO, pages 502–519, Santa Barbara, USA, 2010.

  • [26] Ling Ren, Christopher W. Fletcher, Albert Kwon, Emil Stefanov, Elaine Shi, Marten van Dijk, and Srinivas Devadas. Ring ORAM: closing the gap between small and large client storage oblivious RAM. IACR Cryptology ePrint Archive, 2014:997, 2014.

  • [27] E. Shi, T.-H.H. Chan, E. Stefanov, and M. Li. Oblivious RAM with O(log3(N)) Worst-Case Cost. In Proceedings of Advances in Cryptology – ASIACRYPT, pages 197–214, Seoul, South Korea, 2011. ISBN 978-3-642-25384-3.

  • [28] E. Stefanov, E. Shi, and D.X. Song. Towards practical oblivious ram. In Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2012. The Internet Society.

  • [29] Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher W. Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path ORAM: an extremely simple oblivious RAM protocol. In ACM Conference on Computer and Communications Security, pages 299–310, 2013.

  • [30] Techcrunch. Google Confirms That It Fired Engineer For Breaking Internal Privacy Policies, 2010.

  • [31] P. Williams and R. Sion. Usable pir. In Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2008.

  • [32] P. Williams, R. Sion, and B. Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In ACM Conference on Computer and Communications Security, pages 139–148, Alexandra, USA, 2008.


Journal + Issues