Abstract
Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the Position Map (PosMap), a central component in modern ORAM algorithms. Implemented naively, the PosMap causes ORAM to be fundamentally unscalable in terms of on-chip area. On the other hand, a technique called Recursive ORAM fixes the area problem yet significantly increases ORAM's performance overhead.
To address this challenge, we propose three new mechanisms. We propose a new ORAM structure called the PosMap Lookaside Buffer (PLB) and PosMap compression techniques to reduce the performance overhead from Recursive ORAM empirically (the latter also improves the construction asymptotically). Through simulation, we show that these techniques reduce the memory bandwidth overhead needed to support recursion by 95%, reduce overall ORAM bandwidth by 37% and improve overall SPEC benchmark performance by 1.27x. We then show how our PosMap compression techniques further facilitate an extremely efficient integrity verification scheme for ORAM which we call PosMap MAC (PMMAC). For a practical parameterization, PMMAC reduces the amount of hashing needed for integrity checking by >= 68x relative to prior schemes and introduces only 7% performance overhead.
We prototype our mechanisms in hardware and report area and clock frequency for a complete ORAM design post-synthesis and post-layout using an ASIC flow in a 32~nm commercial process. With 2 DRAM channels, the design post-layout runs at 1~GHz and has a total area of .47~mm2. Depending on PLB-specific parameters, the PLB accounts for 10% to 26% area. PMMAC costs 12% of total design area. Our work is the first to prototype Recursive ORAM or ORAM with any integrity scheme in hardware.
- Open cores. http://opencores.org/.Google Scholar
- D. Apon, J. Katz, E. Shi, and A. Thiruvengadam. Verifiable oblivious storage. In PKC. 2014.Google Scholar
Digital Library
- M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In CRYPTO, 1996. Google Scholar
Digital Library
- D. Boneh, D. Mazieres, and R. A. Popa. Remote oblivious storage: Making oblivious RAM practical. Manuscript, http://dspace.mit.edu/bitstream/handle/1721.1/62006/MIT-CSAIL-TR-2011-0%18.pdf, 2011.Google Scholar
- I. Damgård, S. Meldgaard, and J. B. Nielsen. Perfectly secure oblivious RAM without random oracles. In TCC, 2011.Google Scholar
Cross Ref
- C. Fletcher, L. Ren, X. Yu, M. Van Dijk, O. Khan, and S. Devadas. Suppressing the oblivious ram timing channel while making information leakage and program efficiency trade-offs. In HPCA, 2014.Google Scholar
Cross Ref
- C. Fletcher, M. van Dijk, and S. Devadas. Secure Processor Architecture for Encrypted Computation on Untrusted Programs. In STC, 2012. Google Scholar
Digital Library
- C. Gentry, K. A. Goldman, S. Halevi, C. S. Jutla, M. Raykova, and D. Wichs. Optimizing oram and using it efficiently for secure computation. In PET, 2013.Google Scholar
- O. Goldreich. Towards a theory of software protection and simulation on oblivious rams. In STOC, 1987. Google Scholar
Digital Library
- O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. Journal of the ACM, 1986. Google Scholar
Digital Library
- O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious rams. In Journal of the ACM, 1996. Google Scholar
Digital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Oblivious ram simulation with efficient worst-case access overhead. In CCSW, New York, NY, 2011. Google Scholar
Digital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Practical oblivious storage. In CODASPY, New York, NY, 2012. Google Scholar
Digital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Privacy-preserving group data access via stateless oblivious RAM simulation. In SODA, 2012. Google Scholar
Digital Library
- J. L. Henning. Spec cpu2006 benchmark descriptions. Computer Architecture News, 2006. Google Scholar
Digital Library
- M. Islam, M. Kuzu, and M. Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In NDSS, 2012.Google Scholar
- H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is ssl?). In CRYPTO, 2001. Google Scholar
Digital Library
- E. Kushilevitz, S. Lu, and R. Ostrovsky. On the (in) security of hash-based oblivious ram and a new balancing scheme. In SODA, 2012. Google Scholar
Digital Library
- H. Lipmaa, P. Rogaway, and D. Wagner. Comments to NIST concerning AES-modes of operations: CTR-mode encryption. In Symmetric Key Block Cipher Modes of Operation Workshop, 2000.Google Scholar
- C. Liu, M. Hicks, and E. Shi. Memory trace oblivious program execution. In CSF, 2013. Google Scholar
Digital Library
- M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, and D. Song. Phantom: Practical oblivious computation in a secure processor. In CCS, 2013. Google Scholar
Digital Library
- J. E. Miller, H. Kasture, G. Kurian, C. G. III, N. Beckmann, C. Celio, J. Eastep, and A. Agarwal. Graphite: A Distributed Parallel Simulator for Multicores. In HPCA, 2010.Google Scholar
Cross Ref
- R. Ostrovsky. Efficient computation on oblivious rams. In STOC, 1990. Google Scholar
Digital Library
- R. Ostrovsky and V. Shoup. Private information storage (extended abstract). In STOC, 1997. Google Scholar
Digital Library
- L. Ren, C. Fletcher, X. Yu, M. van Dijk, and S. Devadas. Integrity verification for path oblivious-ram. In HPCA, 2013.Google Scholar
Cross Ref
- L. Ren, X. Yu, C. Fletcher, M. van Dijk, and S. Devadas. Design space exploration and optimization of path oblivious ram in secure processors. In ISCA, 2013. Google Scholar
Digital Library
- B. Rogers, S. Chhabra, M. Prvulovic, and Y. Solihin. Using address independent seed encryption and bonsai merkle trees to make secure processors os- and performance-friendly. In MICRO, 2007. Google Scholar
Digital Library
- P. Rosenfeld, E. Cooper-Balis, and B. Jacob. Dramsim2: A cycle accurate memory system simulator. Computer Architecture Letters, 2011. Google Scholar
Digital Library
- L. F. G. Sarmenta, M. van Dijk, C. W. O'Donnell, J. Rhodes, and S. Devadas. Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS. In STC, 2006. Google Scholar
Digital Library
- E. Shi, T.-H. H. Chan, E. Stefanov, and M. Li. Oblivious ram with o((log n)^3) worst-case cost. In Asiacrypt, 2011. Google Scholar
Digital Library
- E. Stefanov and E. Shi. Oblivistore: High performance oblivious cloud storage. In S&P, 2013. Google Scholar
Digital Library
- E. Stefanov, E. Shi, and D. Song. Towards practical oblivious RAM. In NDSS, 2012.Google Scholar
- E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas. Path oram: An extremely simple oblivious ram protocol. volume abs/1202.5150, 2012.Google Scholar
- E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas. Path oram: An extremely simple oblivious ram protocol. In CCS, 2013. Google Scholar
Digital Library
- X. Wang, K. Nayak, C. Liu, E. Shi, E. Stefanov, and Y. Huang. Oblivious data structures. IACR, 2014.Google Scholar
Digital Library
- P. Williams and R. Sion. Single round access privacy on outsourced storage. In CCS, 2012. Google Scholar
Digital Library
- C. Yan, D. Englender, M. Prvulovic, B. Rogers, and Y. Solihin. Improving cost, performance, and security of memory encryption and authentication. Computer Architecture News, 2006. Google Scholar
Digital Library
- X. Yu, C. W. Fletcher, L. Ren, M. van Dijk, and S. Devadas. Generalized external interaction with tamper-resistant hardware with bounded information leakage. In CCSW, 2013. Google Scholar
Digital Library
- X. Zhuang, T. Zhang, and S. Pande. HIDE: an infrastructure for efficiently protecting information leakage on the address bus. In ASPLOS, 2004. Google Scholar
Digital Library
Index Terms
Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM
Recommendations
Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsOblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the ...
Path ORAM: an extremely simple oblivious RAM protocol
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityWe present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme for small client storage known to date. We formally prove that Path ORAM ...
Path ORAM: An Extremely Simple Oblivious RAM Protocol
Distributed Computing, Cryptography, Distributed Computing, Cryptography, Coding Theory, Automata Theory, Complexity Theory, Programming Languages, Algorithms, Invited Paper Foreword and DatabasesWe present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme known to date with small client storage. We formally prove that Path ORAM ...







Comments