Differentially Private Oblivious RAM

Open access

Abstract

In this work, we investigate if statistical privacy can enhance the performance of ORAM mechanisms while providing rigorous privacy guarantees. We propose a formal and rigorous framework for developing ORAM protocols with statistical security viz., a differentially private ORAM (DP-ORAM). We present Root ORAM, a family of DP-ORAMs that provide a tunable, multi-dimensional trade-off between the desired bandwidth overhead, local storage and system security.

We theoretically analyze Root ORAM to quantify both its security and performance. We experimentally demonstrate the benefits of Root ORAM and find that (1) Root ORAM can reduce local storage overhead by about 2× for a reasonable values of privacy budget, significantly enhancing performance in memory limited platforms such as trusted execution environments, and (2) Root ORAM allows tunable trade-offs between bandwidth, storage, and privacy, reducing bandwidth overheads by up to 2×-10× (at the cost of increased storage/statistical privacy), enabling significant reductions in ORAM access latencies for cloud environments. We also analyze the privacy guarantees of DP-ORAMs through the lens of information theoretic metrics of Shannon entropy and Min-entropy [16]. Finally, Root ORAM is ideally suited for applications which have a similar access pattern, and we showcase its utility via the application of Private Information Retrieval.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Apple Differential Privacy Technical Overview. https://images.apple.com/privacy/docs/Differential_Privacy_Overview.pdf.

  • [2] Apple is using Differential Privacy to help discover the usage patterns of a large number of users without compromising individual privacy. https://discussions.apple.com/thread/7664417?start=0&tstart=0. Published: 2016-06-13.

  • [3] The Challenge of Scientific Reproducibility and Privacy Protection for Statistical Agencies. https://www2.census.gov/cac/sac/meetings/2016-09/2016-abowd.pdf.

  • [4] US Census Data Release. http://reports.opendataenterprise.org/2016opendataroundtables.pdf. Published: Summer 2016.

  • [5] Why the Census Bureau Adopted Differential Privacy for the 2020 Census of Population. https://privacytools.seas.harvard.edu/why-census-bureau-adopted-differential-privacy-2020-census-population.

  • [6] IBM systems cryptographic hardware products. http://www-03.ibm.com/security/cryptocards/ 2016.

  • [7] Michael Backes Aniket Kate Matteo Maffei and Kim Pecina. Obliviad: Provably secure and practical online behavioral advertising. In IEEE Symposium on Security and Privacy (S&P) 2012.

  • [8] Sumeet Bajaj and Radu Sion. Trusteddb: a trusted hardware based database with privacy and data confidentiality. In ACM SIGMOD International Conference on Management of Data 2011.

  • [9] Mihir Bellare Shafi Goldwasser Carsten Lund and Alexander Russell. Efficient probabilistically checkable proofs and applications to approximations. In ACM Symposium on Theory of Computing (STOC) 1993.

  • [10] Benjamin Benjamin Fuller Mayank Varia Arkady Yerukhimovich Emily Shen Ariel Hamlin Vijay Gadepally Richard Shay John Darby Mitchell and Robert K. Cunningham. Sok: Cryptographically protected database search. In IEEE Symposium on Security and Privacy (S&P) 2017.

  • [11] Vincent Bindschaedler Muhammad Naveed Xiaorui Pan XiaoFeng Wang and Yan Huang. Practicing oblivious access on cloud storage: The gap the fallacy and the new way forward. In ACM Conference on Computer and Communications Security (CCS) 2015.

  • [12] Dan Boneh David Mazieres and Raluca Ada Popa. Remote oblivious storage: Making oblivious RAM practical. 2011.

  • [13] TH Hubert Chan Kai-Min Chung Bruce Maggs and Elaine Shi. Foundations of differentially oblivious algorithms. https://eprint.iacr.org/2017/1033.pdf 2018.

  • [14] Binyi Chen Huijia Lin and Stefano Tessaro. Oblivious parallel ram: improved efficiency and generic constructions. In Theory of Cryptography Conference (TCC) 2016.

  • [15] Benny Chor Eyal Kushilevitz Oded Goldreich and Madhu Sudan. Private information retrieval. J. ACM 45(6) 1998.

  • [16] Paul Cuff and Lanqing Yu. Differential privacy as a mutual information constraint. In ACM Conference on Computer and Communications Security (CCS) 2016.

  • [17] Jonathan L Dautrich Jr and Chinya V Ravishankar. Compromising privacy in precise query protocols. In International Conference on Extending Database Technology 2013.

  • [18] Srinivas Devadas Marten van Dijk Christopher W Fletcher Ling Ren Elaine Shi and Daniel Wichs. Onion ORAM: A constant bandwidth blowup oblivious ram. In Theory of Cryptography Conference (TCC) 2016.

  • [19] Jack Doerner and Abhi Shelat. Scaling oram for secure computation. In ACM Conference on Computer and Communications Security (CCS) 2017.

  • [20] Cynthia Dwork. Differential privacy. In Automata Languages and Programming. Springer 2006.

  • [21] Cynthia Dwork Krishnaram Kenthapadi Frank McSherry Ilya Mironov and Moni Naor. Our data ourselves: Privacy via distributed noise generation. In Advances in Cryptology—EUROCRYPT. 2006.

  • [22] Shi Elaine Chan T-H Hubert Stefanov Emil and Li Mingfei. Oblivious ram with o((log n)3) worst-case cost. In Advances in Cryptology—ASIACRYPT 2011.

  • [23] Úlfar Erlingsson Vasyl Pihur and Aleksandra Korolova. Rappor: Randomized aggregatable privacy-preserving ordinal response. In ACM Conference on Computer and Communications Security (CCS) 2014.

  • [24] Christopher W Fletcher Marten van Dijk and Srinivas Devadas. A secure processor architecture for encrypted computation on untrusted programs. In ACM Workshop on Scalable Trusted Computing 2012.

  • [25] Craig Gentry Kenny A Goldman Shai Halevi Charanjit Julta Mariana Raykova and Daniel Wichs. Optimizing ORAM and using it efficiently for secure computation. In Privacy Enhancing Technologies Symposium (PETS) 2013.

  • [26] Oded Goldreich. Towards a theory of software protection and simulation by oblivious rams. In ACM Symposium on Theory of Computing (STOC) 1987.

  • [27] Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM (JACM) 43(3) 1996.

  • [28] Michael T. Goodrich and Michael Mitzenmacher. Privacypreserving access of outsourced data via oblivious RAM simulation. In ICALP (2) 2011.

  • [29] Michael T. Goodrich Michael Mitzenmacher Olga Ohrimenko and Roberto Tamassia. Privacy-preserving group data access via stateless oblivious RAM simulation. In ACMSIAM Symposium on Discrete Algorithms 2012.

  • [30] Xi He Ashwin Machanavajjhala Cheryl Flynn and Divesh Srivastava. Composing differential privacy and secure computation: A case study on scaling private record linkage. In ACM Conference on Computer and Communications Security (CCS) 2017.

  • [31] Ryan Henry Femi Olumofin and Ian Goldberg. Practical pir for electronic commerce. In ACM Conference on Computer and Communications Security (CCS) 2011.

  • [32] Justin Hsu Marco Gaboardi Andreas Haeberlen Sanjeev Khanna Arjun Narayan Benjamin C Pierce and Aaron Roth. Differential privacy: An economic method for choosing epsilon. In Computer Security Foundations Symposium (CSF) 2014 IEEE 27th 2014.

  • [33] Intel Corp. Software guard extensions programming reference 2013. No. 329298-001.

  • [34] MS Islam Mehmet Kuzu and Murat Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification attack and mitigation. In Symposium on Network and Distributed System Security (NDSS) 2014.

  • [35] Dogan Kesdogan Mark Borning and Michael Schmeink. Unobservable surfing on the world wide web: is private information retrieval an alternative to the mix based approach? In Privacy Enhancing Technologies Symposium (PETS) 2002.

  • [36] Eyal Kushilevitz Steve Lu and Rafail Ostrovsky. On the (in)security of hash-based oblivious RAM and a new balancing scheme. In ACM-SIAM Symposium on Discrete Algorithms (SODA) 2012.

  • [37] Dautrich Jr Jonathan L Stefanov Emil and Shi Elaine. Burst oram: Minimizing oram response times for bursty access patterns. In USENIX Security Symposium 2014.

  • [38] Jaewoo Lee and Chris Clifton. How much is enough? choosing “ for differential privacy. In International Conference on Information Security 2011.

  • [39] Yingbin Liang H Vincent Poor and Shlomo Shamai. Information theoretic security. Foundations and Trends® in Communications and Information Theory 2009.

  • [40] Ren Ling Fletcher Christopher W Kwon Albert Stefanov Emil Shi Elaine Van Dijk Marten and Devadas Srinivas. Constants count: Practical improvements to oblivious ram. In USENIX Security Symposium 2015.

  • [41] Chang Liu Xiao Shaun Wang Kartik Nayak Yan Huang and Elaine Shi. ObliVM: A programming framework for secure computation. In IEEE Symposium on Security and Privacy (S&P) 2015.

  • [42] Martin Maas Eric Love Emil Stefanov Mohit Tiwari Elaine Shi Krste Asanovic John Kubiatowicz and Dawn Song. Phantom: Practical oblivious computation in a secure processor. In ACM Conference on Computer and Communications Security (CCS) 2013.

  • [43] Travis Mayberry Erik-Oliver Blass and Agnes Hui Chan. Efficient private file retrieval by combining oram and pir. In Symposium on Network and Distributed System Security (NDSS) 2014.

  • [44] Sahar Mazloom and S Dov Gordon. Differentially private access patterns in secure computation. https://eprint.iacr.org/2017/1016.pdf 2017.

  • [45] Prateek Mittal and Nikita Borisov. Information leaks in structured peer-to-peer anonymous communication systems. ACM Transactions on Information and System Security (TISSEC) 2012.

  • [46] Prateek Mittal Femi G Olumofin Carmela Troncoso Nikita Borisov and Ian Goldberg. Pir-tor: Scalable anonymous communication using private information retrieval. In USENIX Security Symposium pages 31–31 2011.

  • [47] Pedro Moreno-Sanchez Aniket Kate Matteo Maffei and Kim Pecina. Privacy preserving payments in credit networks. In Symposium on Network and Distributed System Security (NDSS) 2015.

  • [48] Olga Ohrimenko Felix Schuster Cédric Fournet Aastha Mehta Sebastian Nowozin Kapil Vaswani and Manuel Costa. Oblivious multi-party machine learning on trusted processors. In USENIX Security Symposium 2016.

  • [49] Olga Ohrimenko Felix Schuster Cédric Fournet Aastha Mehta Sebastian Nowozin Kapil Vaswani and Manuel Costa. Oblivious multi-party machine learning on trusted processors. In USENIX Security Symposium 2016.

  • [50] Benny Pinkas and Tzachy Reinman. Oblivious RAM revisited. In Advances in Cryptology—CRYPTO 2010.

  • [51] Ling Ren Christopher W Fletcher Albert Kwon Emil Stefanov Elaine Shi Marten van Dijk and Srinivas Devadas. Constants count: Practical improvements to oblivious RAM. In USENIX Security Symposium 2015.

  • [52] Ling Ren Xiangyao Yu Christopher W Fletcher Marten Van Dijk and Srinivas Devadas. Design space exploration and optimization of path oblivious RAM in secure processors. In ACM SIGARCH Computer Architecture News 2013.

  • [53] Emil Stefanov and Elaine Shi. Oblivistore: High performance oblivious cloud storage. In IEEE Symposium on Security and Privacy (S&P) 2013.

  • [54] Emil Stefanov Elaine Shi and Dawn Song. Towards practical oblivious RAM. In Symposium on Network and Distributed System Security (NDSS) 2012.

  • [55] Emil Stefanov Marten van Dijk Elaine Shi Christopher W. Fletcher Ling Ren Xiangyao Yu and Srinivas Devadas. Path ORAM: an extremely simple oblivious RAM protocol. In ACM Conference on Computer and Communications Security (CCS) 2013.

  • [56] Raphael R Toledo George Danezis and Ian Goldberg. Lower-cost _-private information retrieval. Privacy Enhancing Technologies Symposium (PETS) 2016.

  • [57] Xiao Wang Hubert Chan and Elaine Shi. Circuit ORAM: On tightness of the Goldreich-Ostrovsky lower bound. In ACM Conference on Computer and Communications Security (CCS) 2015.

  • [58] Xiao Shaun Wang Yan Huang T-H. Hubert Chan Abhi Shelat and Elaine Shi. SCORAM: Oblivious RAM for secure computation. In ACM Conference on Computer and Communications Security (CCS) 2014.

  • [59] Peter Williams and Radu Sion. Usable pir. In Symposium on Network and Distributed System Security (NDSS) 2008.

  • [60] Peter Williams Radu Sion and Bogdan Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In CCS 2008.

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 512 376 21
PDF Downloads 303 202 2