Stronger Lower Bounds for Online ORAM
Pavel Hub\'a\v{c}ek, Michal Kouck\'y, Karel Kr\'al, Veronika, Sl\'ivov\'a

TL;DR
This paper establishes a stronger lower bound of for online ORAM bandwidth overhead, even when the server lacks knowledge of input operation boundaries, broadening the understanding of ORAM efficiency limits.
Contribution
It proves a new lower bound for online ORAMs without server knowledge of access correspondence, extending prior bounds and analyzing access graph properties.
Findings
Lower bound applies even without server access to operation boundaries.
Access graphs of ORAMs satisfy a specific testable property.
The new property is less structured than previous Larsen-Nielsen property.
Abstract
Oblivious RAM (ORAM), introduced in the context of software protection by Goldreich and Ostrovsky [JACM'96], aims at obfuscating the memory access pattern induced by a RAM computation. Ideally, the memory access pattern of an ORAM should be independent of the data being processed. Since the work of Goldreich and Ostrovsky, it was believed that there is an inherent bandwidth overhead in any ORAM working with memory of size . Larsen and Nielsen [CRYPTO'18] were the first to give a general lower bound for any online ORAM, i.e., an ORAM that must process its inputs in an online manner. In this work, we revisit the lower bound of Larsen and Nielsen, which was proved under the assumption that the adversarial server knows exactly which server accesses correspond to which input operation. We give an lower bound for the bandwidth…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\newaliascnt
lemmatheorem \aliascntresetthelemma
\newaliascntclaimtheorem \aliascntresettheclaim
\newaliascntcorollarytheorem \aliascntresetthecorollary
\newaliascntconstructiontheorem \aliascntresettheconstruction
\newaliascntfacttheorem \aliascntresetthefact
\newaliascntpropositiontheorem \aliascntresettheproposition
\newaliascntconjecturetheorem \aliascntresettheconjecture
\newaliascntdefinitiontheorem \aliascntresetthedefinition
\newaliascntnotationtheorem \aliascntresetthenotation
\newaliascntremarktheorem \aliascntresettheremark
\newaliascntobservationtheorem \aliascntresettheobservation
Stronger Lower Bounds for Online ORAM††thanks: This research was supported in part by the Grant Agency of the Czech Republic under the grant agreement no. 19-27871X, by the Charles University projects PRIMUS/17/SCI/9 and UNCE/SCI/004, Charles University grant SVV-2017-260452, and by the Neuron Fund for the support of science.
Pavel Hubáček
Computer Science Institute of Charles University, Prague, Czech Republic
{hubacek, koucky, kralka, slivova}@iuuk.mff.cuni.cz
Michal Koucký
Computer Science Institute of Charles University, Prague, Czech Republic
{hubacek, koucky, kralka, slivova}@iuuk.mff.cuni.cz
Karel Král
Computer Science Institute of Charles University, Prague, Czech Republic
{hubacek, koucky, kralka, slivova}@iuuk.mff.cuni.cz
Veronika Slívová
Computer Science Institute of Charles University, Prague, Czech Republic
{hubacek, koucky, kralka, slivova}@iuuk.mff.cuni.cz
Abstract
Oblivious RAM (ORAM), introduced in the context of software protection by Goldreich and Ostrovsky [JACM’96], aims at obfuscating the memory access pattern induced by a RAM computation. Ideally, the memory access pattern of an ORAM should be independent of the data being processed. Since the work of Goldreich and Ostrovsky, it was believed that there is an inherent bandwidth overhead in any ORAM working with memory of size . Larsen and Nielsen [CRYPTO’18] were the first to give a general lower bound for any online ORAM, i.e., an ORAM that must process its inputs in an online manner.
In this work, we revisit the lower bound of Larsen and Nielsen, which was proved under the assumption that the adversarial server knows exactly which server accesses correspond to which input operation. We give an lower bound for the bandwidth overhead of any online ORAM even when the adversary has no access to this information. For many known constructions of ORAM this information is provided implicitly as each input operation induces an access sequence of roughly the same length. Thus, they are subject to the lower bound of Larsen and Nielsen. Our results rule out a broader class of constructions and specifically, they imply that obfuscating the boundaries between the input operations does not help in building a more efficient ORAM.
As our main technical contribution and to handle the lack of structure, we study the properties of access graphs induced naturally by the memory access pattern of an ORAM computation. We identify a particular graph property that can be efficiently tested and that all access graphs of ORAM computation must satisfy with high probability. This property is reminiscent of the Larsen-Nielsen property but it is substantially less structured; that is, it is more generic.
1 Introduction
Oblivious simulation of RAM machines, initially studied in the context of software protection by Goldreich and Ostrovsky [GO96], aims at protecting the memory access pattern induced by computation of a RAM from an eavesdropper. In the present day, such oblivious simulation might be needed when performing a computation in the memory of an untrusted server.111Protecting the memory access of a computation is particularly relevant in the light of the recent Spectre [KGG*+*18] and Meltdown [LSG*+*18] attacks. Despite using encryption for protecting the content of each memory cell, the memory access pattern might still leak sensitive information. Thus, the memory access pattern should be oblivious of the data being processed and, optimally, depend only on the size of the input.
Constructions.
The strong guarantee of obliviousness of the memory access pattern comes at the cost of additional overhead. A trivial solution which scans the whole memory for each memory access induces linear bandwidth overhead, i.e., the multiplicative factor by which the length of a memory access pattern increases in the oblivious simulation of a RAM with memory cells. Given its many practical applications, an important research direction is to construct an ORAM with as low overhead as possible. The foundational work of Goldreich and Ostrovsky [GO96] already gave a construction with bandwidth overhead . Subsequent results introduced various improved approaches for building ORAMs (see [Ajt10, CLP14, CP13, DMN11, GGH*+*13, GO96, GM11, GMOT11, KLO12, PPRY18, RFK*+*14, SvDS*+*18, WCS15, WHC*+*14] and the references therein) leading to the recent construction of Asharov et al. [AKL*+*18] with bandwidth overhead for the most natural setting of parameters.
Lower-bounds.
It was a folklore belief that an bandwidth overhead is inherent based on a lower bound presented already in the initial work of Goldreich and Ostrovsky [GO96]. However, the Goldreich-Ostrovsky result was recently revisited in the work of Boyle and Naor [BN16], who pointed out that the lower bound actually holds only in a rather restricted “balls and bins” model where the ORAM is not allowed to read the content of the data cells it processes. In fact, Boyle and Naor showed that any general lower bound for offline ORAM (i.e., where each memory access of the ORAM can depend on the whole sequence of operations it needs to obliviously simulate) implies non-trivial lower bounds on sizes of sorting circuits which seem to be out of reach of the known techniques in computational complexity. The connection between offline ORAM lower bounds and circuit lower bounds was extended to read-only online ORAMs (i.e., where only the read operations are processed in online manner) by Weiss and Wichs [WW18] who showed that lower bounds on bandwidth overhead for read-only online ORAMs would imply non-trivial lower bounds for sorting circuits or locally decodable codes.
The first general lower bound for bandwidth overhead in online ORAM (i.e., where the ORAM must process sequentially the operations it has to obliviously simulate) was given by Larsen and Nielsen [LN18]. The core of their lower bound comprised of adapting the information transfer technique of Patrascu and Demaine [PD06], originally used for proving lower bounds for data structures in the cell probe model, to the ORAM setting. In fact, the lower bound of Larsen and Nielsen [LN18] for ORAM can be cast as a lower bound for the oblivious Array Maintenance problem and it was recently extended to other oblivious data structures by Jacob et al. [JLN19].
1.1 Our Results
In this work, we further develop the information transfer technique of [PD06] when applied in the context of online ORAMs. We revisit the lower bound of Larsen and Nielsen which was proved under the assumption that the adversarial server knows exactly which server accesses correspond to each input operation. Specifically, we prove a stronger matching lower bound in a relaxed model without any restriction on the format of the access sequence to server memory.
Note that the [LN18] lower bound does apply to the known constructions of ORAMs where it is possible to implicitly separate the accesses corresponding to individual input operations – since each input operation generates an access sequence of roughly the same length. However, the [LN18] result does not rule out the possibility of achieving sub-logarithmic overhead in an ORAM which obfuscates the boundaries in the access pattern (e.g. by translating input operations into variable-length memory accesses). We show that obfuscating the boundaries between the input operations does not help in building a more efficient ORAM. In other words, our lower bound justifies the design choice of constructing ORAMs where each input operation is translated to roughly the same number of probes to server memory (common to the known constructions of ORAMs).
Besides online ORAM (i.e., the oblivious Array Maintenance problem), our techniques naturally extend to other oblivious data structures and allow to generalize also the recent lower bounds of Jacob et al. [JLN19] for oblivious stacks, queues, deques, priority queues and search trees.
For online ORAMs with statistical security, our results are stated in the following informal theorem.
Theorem 1.1** (Informal).**
Any statistically secure online ORAM with internal memory of size has expected bandwidth overhead , where is the length of the sequence of input operations. This result holds even when the adversarial server has no information about boundaries between probes corresponding to different input operations.
In the computational setting, we consider two definitions of computational security. Our notion of weak computational security requires that no polynomial time algorithm can distinguish access sequences corresponding to any two input sequences of the same length – this is closer in spirit to computational security for ORAMs previously considered in the literature. The notion of strong computational security requires computational indistinguishability even when the distinguisher is given the two input sequences together with an access sequence corresponding to one of them. The distinguisher should not be able to tell which one of the two input sequences produced the access sequence. Interestingly, our technique (as well as the proof technique of [LN18] in the model with structured access pattern) yields different lower bounds with respect to the two definitions stated in the following informal theorem.
Theorem 1.2** (Informal).**
Any weakly computationally secure online ORAM with internal memory of size must have expected bandwidth overhead . Any strongly computationally secure online ORAM with internal memory of size must have expected bandwidth overhead , where is the length of the sequence of input operations. This result holds even when the adversarial server has no information about boundaries between probes corresponding to different input operations.
Note that even the lower bound for online ORAMs satisfying weak computational security is an interesting result in the light of the work of Boyle and Naor [BN16]. It follows from [BN16] that any super-constant lower bound for offline ORAM would imply super-linear lower bounds on size of sorting circuits – which would constitute a major breakthrough in computational complexity (for additional discussion, see Section 5). Our techniques clearly do not provide lower bounds for offline ORAMs. On the other hand, we believe that proving the lower bound in any meaningful weaker model would amount to proving lower bounds for offline ORAM or read-only online ORAM which would have important implications in computational complexity.
Alternative Definitions of ORAM.
Previous works considered various alternative definitions of ORAM. We clarify the ORAM model in which our techniques yield a lower bound in Section 2.1 and discuss its relation to other models in Section 5. As an additional contribution, we demonstrate an issue with the definition of ORAM appearing in Goldreich and Ostrovsky [GO96]. Specifically, we show that the definition can be satisfied by a RAM with constant overhead and no meaningful security. The definition of ORAM in Goldreich and Ostrovsky [GO96] differs from the original definition in Goldreich [Gol87] and Ostrovsky [Ost90], which do not share the issue we observed in the definition from Goldreich and Ostrovsky [GO96]. Given that the work of Goldreich and Ostrovsky [GO96] might serve as a primary reference for our community, we explain the issue in Section 5 to help preventing the use of the problematic definition in future works.
Persiano and Yeo [PY19] recently adapted the chronogram technique [FS89] from the literature on data structure lower bounds to prove a lower bound for differentially private RAMs (a relaxation of ORAMs in the spirit of differential privacy [DMNS06] which ensures indistinguishability only for input sequences that differ in a single operation). Similarly to the work of Larsen and Nielsen [LN18], the proof in [PY19] exploits the fact that the distinguisher knows exactly which server accesses correspond to each input operation. However, as the chronogram technique significantly differs from the information transfer approach, we do not think that our techniques would directly allow to strengthen the [PY19] lower bound for differentially private RAMs and prove it in the model with an unstructured access pattern.
1.2 Our Techniques
The structure of our proof follows a similar blueprint as the work of Larsen and Nielsen [LN18]. However, we must handle new issues introduced by the more general adversarial model. Most significantly, our proof cannot rely on any formatting of the access pattern, whereas Larsen and Nielsen leveraged the fact that the access pattern is split into blocks corresponding to each read/write operation. To handle the lack of structure in the access pattern, we study the properties of the access graph induced naturally by the access pattern of an ORAM computation. We identify a particular graph property that can be efficiently tested and that all access graphs of ORAM computation must satisfy with high probability. This property is reminiscent of the Larsen-Nielsen property but it is substantially less structured; that is, it is more generic.
The access graph is defined as follows: the vertices are timestamps of server probes and there is an edge connecting two vertices if and only if they correspond to two subsequent accesses to the same memory cell. We define a graph property called -dense -partition. Roughly speaking, graphs with -dense -partitions are graphs which may be partitioned into disjoint subgraphs, each subgraph having at least edges. We show that this property has to be satisfied (with high probability) by access graphs induced by an ORAM for any and an appropriate . To leverage this inherent structure of access graph towards a lower bound on bandwidth overhead, we prove that if a graph has -dense -partition for some and different values of then the graph must have at least edges. In Section 3, we provide the formal definition of access graph and -dense -partitions and prove a lower bound on the expected number of edges for a graph that has many -dense -partitions.
In Section 4, we prove that access graphs of ORAMs have many dense partitions. Specifically, using a communication-type argument we show that for values of , there exist input sequences for which the corresponding graph has -dense -partition with high probability. Applying the indistinguishability of sequences of probes made by ORAM, we get one sequence for which its access graph satisfies -dense -partition for values of with high probability. Combining the above results from Section 4 with the results from Section 3, we get that the graph of such a sequence has edges, and thus by definition, vertices in expectation. This implies that the expected number of probes made by the ORAM on any input sequence of length is .
2 Preliminaries
In this section, we introduce some basic notation and recall some standard definitions and results. Throughout the rest of the paper, we let for to denote the set . A function is negligible if it approaches zero faster than any inverse polynomial.
Definition \thedefinition (Statistical Distance).
For two probability distributions and on a discrete universe , we define statistical distance of and as
[TABLE]
We use the following observation, which characterizes statistical distance as the difference of areas under the curve (see Fact 3.1.9 in Vadhan [Vad99]).
Proposition \theproposition.
Let and be probability distributions on a discrete universe , let , and define analogously. Then
[TABLE]
We also use the following data-processing-type inequality.
Proposition \theproposition.
Let and be probability distributions on a discrete universe . Then for any function , it holds that .
Definition \thedefinition (Computational indistinguishability).
Two probability ensembles, and , are computationally indistinguishable if for every polynomial-time algorithm there exists a negligible function such that
[TABLE]
2.1 Online ORAM
In this section, we present the formal definition for online oblivious RAM (ORAM) we consider in our work – we build on the oblivious cell-probe model of Larsen and Nielsen [LN18].
Definition \thedefinition (Array Maintenance Problem [LN18]).
The Array Maintenance problem with parameters is to maintain an array of -bit entries under the following two operations:
- •
(, )**: Set the content of to , where , . (Write operation)
- •
(, )**: Return the content of , where (note that is ignored). (Read operation)
We say that a machine implements the Array Maintenance problem with parameters and probability , if for every input sequence of operations
[TABLE]
and for every read operation in the sequence , returns the correct answer with probability at least .
Definition \thedefinition (Online Oblivious RAM).
For , let RAM denote a probabilistic random access machine with cells of internal memory, each of size bits, which has access to a data structure, called server, implementing the Array Maintenance problem with parameters and probability 1. In other words, in each step of computation may probe the server on a triple and on every input the server returns to the data last written in . We say that probes the server whenever it makes an Array Maintenance operation to the server.*
Let be any natural numbers such that . An online Oblivious RAM with address range , cell size bits and cells of internal memory is a satisfying online access sequence, correctness, and statistical (resp. computational) security as defined below.
Online Access Sequence:
For any input sequence the RAM machine gets one by one, where each . Upon the receipt of each operation , the machine generates a possibly empty sequence of server probes , where each , and updates its internal memory state in order to correctly implement the request . We define the access sequence corresponding to as . For the input sequence , the access sequence is defined as*
[TABLE]
Note that the definition of the machine is online, and thus for each input sequence and each , the access sequence does not depend on .
Correctness:
* implements the Array Maintenance problem with parameters with probability at least .*
Statistical Security:
For any two input sequences of the same length, the statistical distance of the distributions of access sequences and is at most .
Computational Security:
For computational security, we consider infinite families of ORAM where we allow to be functions of the length of the input sequence. We distinguish between the following two notions:
Weak Computational Security:
For any infinite families of input sequences and such that for all , the probability ensembles and are computationally indistinguishable.
Strong Computational Security:
For any infinite families of input sequences and such that for all , the probability ensembles and are computationally indistinguishable.
The parameters of our ORAM model from Definition 2.1 are depicted in Figure 1. We use different sizes of arrows on server and RAM side to denote the asymmetry of the communication (the RAM sends type of operation, address, and data and the server returns requested data in case of a read operation and dummy value in case of a write operation). Note that the input sequence of ORAM consists of a sequence of all operations, whereas the access sequence consists of a sequence of addresses of all probes.
Arguably, a user of an ORAM might want the stronger notion of computational security whereas the weaker notion is closer to the past considerations. Note that in the case of weak computational security, the adversarial distinguisher does not have access to the input sequences. Thus, it is restricted to contain only constant amount of information about the whole families of input sequences and . In contrast, in the case of strong computational security, the adversarial distinguisher is given also the input sequences. Thus, it is able to compute any polynomial time computable information about the input sequences. This distinction is crucial for our results, as we are able to prove only an lower bound for weak security as opposed to the lower bound for strong security (see Theorem 4.3 and Theorem 4.2). Nevertheless, we believe that the known constructions of ORAM satisfy the notion of strong computational security.
For ease of exposition, in the rest of the paper we assume perfect correctness of the ORAM (i.e., ). However, our lower bounds can be extended also to ORAMs with imperfect correctness (see Remark 4). Finally, our lower bounds hold also for semi-offline ORAMs where the ORAM machine receives the type and address of each operation in advance and it has to process in online manner only the data to be written during each write operation (see Remark 4).
3 Dense Graphs
In this section, we define an efficiently testable property of graphs that we show to be satisfied by graphs induced by the access pattern of any statistically secure ORAM. This property implies that the overhead of such ORAM must be logarithmic.
We say a directed graph is ordered if is a subset of integers and for each edge , . For a graph and , we let be the set of edges that start in and end in , and for integers we let .
Definition \thedefinition.
A -partition of an ordered graph is a sequence . We say that the -partition is -dense if for each , is of size at least .
There is a simple greedy algorithm running in time which tests for given integers whether a given ordered graph has an -dense -partition. (The algorithm looks for the parts one by one greedily from left to right.)
Lemma \thelemma.
Let be a subset of powers of 4. Let be given. Let be an ordered graph which for each has an -dense -partition. Then has at least edges.
Proof.
We use the following claim to bound the number of edges.
Claim \theclaim.
Let be integers. Let be a -partition of , and be a -partition of . Then for at least distinct
[TABLE]
Proof.
For any and , if for some then (as .) Thus, is uniquely determined by . Hence, may intersect only if , for some . Thus, such an intersection occurs only for at most different . The claim follows. ∎
Now we are ready to prove Lemma 3. For each , pick an -dense -partition of and define the set of edges :
[TABLE]
For each , we lower-bound by . Since contains powers of , . By the above claim, for at least different , . By density, , so . Hence, . ∎
In the following corollary, we show that the property of having many dense partitions with some probability implies proportionally many edges. (Note that the term corresponds exactly to the number of powers of four between and .)
Corollary \thecorollary.
Let be natural numbers, where . Let be a real. Let be an ordered graph picked at random from a distribution such that for each integer , , the randomly chosen ordered graph has -dense -partition with probability at least . Then the expected number of edges in is at least .
Proof.
Let be the set of integers such that if and only if is a power of and has an -dense -partition. is a random variable. The expected size of is at least . By Lemma 3, the expected number of edges in is at least . ∎
4 ORAM Lower Bound
In this section, we fix integers such that , , and an ORAM with address range , cell size and cells of internal memory (see Definition 2.1). We argue that any statistically secure ORAM must make server probes in expectation in order to implement a sequence of input operations. We also show that any ORAM satisfying Weak Computational Security must make server probes in expectation on any input sequence of length .
Definition \thedefinition.
Let be an access sequence of for some input sequence . We define a directed graph called access graph as follows: and iff and and for each , .
Notice that every vertex of an access graph has outdegree as well as indegree at most one.
In the following, we consider input sequences of even length . First, we define a sequence of alternating writes and reads at address with data as . Second, for each , let , we define a distribution of input sequences as
[TABLE]
where each is an independently uniformly chosen bit string. We define the -th block of writes and the -th block of reads to be the sequence of operations following right after . Note that after the -th block of reads the sequence is padded to length by a sequence of alternating writes and reads. For an ORAM , we use the notation and when is clear from the context.
The following lemma uses only correctness of ORAM and does not depend on its security. The proof of the lemma uses the information transfer technique similarly to Lemma 2 in [LN18].
Lemma \thelemma.
Let be as in the beginning of this section, moreover suppose is an even integer. Let be an integer such that . Let be the access sequence of and be the corresponding access graph. ( is a random variable that depends on and the internal randomness of .) With probability at least , has -dense -partition.
Proof.
By our assumption from the beginning of this section, , and thus for any all sequences have all addresses in the correct range. Fix any satisfying the assumptions of this lemma and set . As defined before let and be the -th block of writes and reads in , respectively. Let be the vertices of corresponding to , and be the vertices corresponding to . It suffices to prove that for each , the probability that there are fewer than edges between and is less than . If this holds then by the union bound the lemma follows.
For contradiction, assume there exists such that the probability that there are fewer than edges between and is at least . Here, the randomness is taken over the choice of an input sequence and the internal randomness of . Fix such an . Fix all the randomness except for the choice of in so that obtained from this restricted distribution has fewer than edges between and with probability over the choice of . (This is possible by an averaging argument.) Let be the set of choices for which give fewer than edges between and in . Clearly, .
We use to construct a deterministic protocol that transmits any string from from Alice to Bob, two communicating parties, using at most bits. That gives a contradiction as such an efficient transmission violates the pigeon-hole principle.
On input to Alice, Alice sends a single message to Bob who can determine from the message. They proceed as follows. Both Alice and Bob simulate on up until reaching . All the randomness used before the -th block of writes is fixed and known both to Alice and Bob. Then Alice continues with the simulation of on with data set to . Once she finishes it, she sends the content of the internal memory of to Bob using bits. Then Alice continues with the simulation of on and whenever makes a server probe to read from a location that was written last time during the simulation of , Alice sends over the address and the content of that cell to Bob. Overall, Alice sends at most bits of communication to Bob that can be concatenated into a single message of this size.
On receiving side, Bob uses the internal state of communicated by Alice to continue with the computation on , while he uses the state of the server he obtained initially before reaching . He simulates all server probes by himself, except for read operations that match the list sent by Alice, where he initially uses the content provided by Alice. Clearly, Bob can determine from the simulation.
As , , so , hence, the number of communicated bits is , which is a contradiction. ∎
Remark \theremark.
Using good error-correcting codes (see for instance [MS77]), this lemma could be generalized to the case when implements Array Maintenance problem with probability , i.e., is allowed to return a wrong value for each of its input read operations with a small constant probability . The graph would still have -dense -partition with probability for some which depends only on the allowed failure probability .
Remark \theremark.
Note that the randomness of input sequence is used only for the data to be written. Moreover, the proof relies only on incompressibility of a random string stored during the write block and it does not rely on the addresses used to store this data. Thus, the same proof goes through even for semi-offline ORAMs, i.e., if we allow the ORAM to know the type and address of each input operation in in advance. On the other hand, as our proof uses interleaved sequences of write blocks and read blocks, it is unlikely that it would be possible to extend it to the read-only online ORAM model of Weiss and Wichs [WW18].
Note that using an averaging argument we can assume that the probability in Lemma 4 is only over the randomness of . Thus we get the following corollary proving for every the existence of a single input sequence whose corresponding access graph has -dense -partition with high probability.
Corollary \thecorollary.
For any even integer and an integer such that there is an input sequence of length such that has a -dense -partition with probability at least .
We show that by statistical security of , this property holds for a single input sequence and many different values of .
Lemma \thelemma.
Let be as in the beginning of this section, and assume is even and . Let be an input sequence to of length . If is a statistically secure online ORAM then for every
[TABLE]
Proof.
For contradiction, suppose that for some the probability is less than . From the statistical security of we know that the statistical distance where is given by Corollary 4. By Corollary 4 the sequence gives us a graph which has an -dense -partition with probability at least . Define a function on ordered graphs that is an indicator of having an -dense -partition. Applying Proposition 2 with , , and , we can conclude that has an -dense -partition with probability at least . ∎
We are ready to prove our main theorem for statistically secure ORAM.
Theorem 4.1**.**
There are constants such that for any integers and where and , any statistically secure online ORAM with address range , cell size bits and cells of internal memory must perform at least server probes in expectation (the expectation is over the randomness of ) on any input sequence of length .
Proof.
Fix an ORAM machine . Consider any input sequence to of length . By Lemma \thelemma for every , such that , we get that
[TABLE]
Applying Corollary 3 with , , , and , we can lower bound the expected number of edges in by
[TABLE]
For , . Hence, the expected number of edges in is at least , provided is large enough. Since the indegree of each vertex of an access graph is at most one, the expected number of vertices in , which is the same as the expected number of probes in , is at least . ∎
Next, we prove lower bound for ORAMs satisfying strong computational security from Definition Strong Computational Security:.
Lemma \thelemma.
Let be non-decreasing functions such that for all large enough: and . Let be a sequence of online ORAMs with address range , cell size bits and cells of internal memory which satisfy strong computational security. Let be an infinite family of input sequences where , for each .
Then there exists such that for every and for every
[TABLE]
Proof.
For contradiction, assume there are infinitely many pairs of integers , s.t. and that the probability that has an -dense -partition is less than .
Let be an algorithm which given two input sequences and of length and an access sequence , where , does the following:
Compute . 2. 2.
Compute to be the number of blocks of consecutive reads of length in the input sequence . 3. 3.
If does not have -dense -partition returns “1” (i.e. guesses that ). 4. 4.
Otherwise returns “1” with probability and “2” with probability (i.e. guesses at random).
There is a polynomial time greedy algorithm determining whether the graph contains an -dense -partition. Thus algorithm runs in time polynomial in the length of the access sequence .
Let be a sequence from Corollary 4. So, has an -dense -partition with probability at least . Observe that if and then:
[TABLE]
By the assumption returns “1” in step 3 on with probability at least . By Corollary 4 answers “1” on with probability at most .
This contradicts the strong computational security of as should not distinguish between and with non-negligible probability. ∎
Theorem 4.2**.**
Let be non-decreasing functions such that for all large enough: and . Let be a sequence of online ORAMs with address range , cell size bits and cells of internal memory which satisfy strong computational security. Let be an infinite family of input sequences where , for each .
There are constants , such that for any , must perform in expectation at least server probes on the input sequence .
Proof.
The proof is identical to the proof of Theorem 4.1 but we use Lemma \thelemma instead of Lemma \thelemma. Note that the different order of quantifiers is caused by different order of quantifiers in Lemma \thelemma and in Lemma \thelemma. ∎
In the rest of this section, we prove an lower bound for ORAMs satisfying weak computational security from Definition Weak Computational Security:. Note that in the case of weak computational security it is unclear which should the adversary use to distinguish and . Thus, we cannot directly conclude that has -dense -partition for every and . On the other hand, for every there could be only finitely many values such that there is an input sequence of length which has no -dense -partition. This fact allows us to prove the lower bound for weak computational security.
Theorem 4.3**.**
Let be non-decreasing functions such that for all large enough: and . Let be a sequence of online ORAMs with address range , cell size bits and cells of internal memory which satisfy weak computational security. Let be a sequence of input sequences where , for each .
For any constant there is a constant , such that for any , must perform in expectation at least server probes on the input sequence .
In particular there is no computationally secure online ORAM with constant bandwidth overhead .
Proof.
For each , define to be the smallest such that
[TABLE]
Using Corollary 3 we get for each large enough that the expected number of edges in is at least , for some absolute constant . It suffices to show that as . There cannot exist a constant such that has -dense -partition with probability less than for infinitely many . Otherwise would be computationally distinguishable from (by the greedy algorithm which has hard-wired). So, as . ∎
5 Alternative Definitions for Oblivious RAM
In this section, we recall some alternative definitions for ORAM which appeared in the literature and explain the relation of our lower bound to those models.
The definition of Larsen and Nielsen.
Larsen and Nielsen (see Definition 4 in [LN18]) required that for any two input sequences of equal length, the corresponding distributions of access sequences cannot be distinguished with probability greater than by any algorithm running in polynomial time in the sum of the following terms: the length of the input sequence, logarithm of the number of memory cells (i.e., ), and the size of a memory cell (i.e., for the most natural parameters). We show that their definition implies statistical closeness as considered in our work (see the statistical security property in Definition 2.1). Therefore, any lower bound on the bandwidth overhead of ORAM satisfying our definition implies a matching lower bound w.r.t. the definition of Larsen and Nielsen [LN18].
To this end, let us show that if two distributions of access sequences are not statistically close, then they are distinguishable in the sense of Larsen and Nielsen. Assume there exist two input sequences and of equal lengths, for which the access sequences and have statistical distance greater than . We define a distinguisher algorithm that on access sequence outputs whenever , outputs [math] whenever , and outputs a uniformly random bit whenever . It follows from definition of , basic properties of statistical distance (see section 2), and our assumption about the statistical distance of and that
[TABLE]
Note that can be specific for the pair of the two input sequences and and it can have all the significant information about the distributions and hardwired. For example, it is sufficient to store a string describing for each access sequence whether it is more, less, or equally likely under or . Even though such string is of exponential size w.r.t. the length of the access pattern, needs to simply access the position corresponding to the observed access pattern to output its decision as described above. Thus, can run in linear time in the length of the access sequence (which is polynomial in the length of the input sequence) and distinguishes the two access sequences with probability greater than .
The definition of Goldreich and Ostrovsky.
Unlike the original definition of ORAM from Goldreich [Gol87] and Ostrovsky [Ost90], the definition of ORAM presented in Goldreich and Ostrovsky [GO96] postulates an alternative security requirement. However, the alternative definition suffers from an issue which is not present in the original definition and which, to the best of our knowledge, was not pointed out in the literature. In particular, the definition in [GO96] can be satisfied by a dummy ORAM construction with only a constant overhead and without achieving any indistinguishability of the access sequences. Given that Goldreich and Ostrovsky [GO96] might serve as a primary reference for our community, we explain the issue in the following paragraph to help preventing the use of the problematic definition in future works.
Recall the definition of ORAM with perfect security from Goldreich and Ostrovsky (Definition 2.3.1.3 in [GO96]):
Goldreich-Ostrovsky security: For any two input sequences and , if the length distributions and are identical, then and are identical.**
As we show, this requirement can be satisfied by creating an ORAM that makes sure that on any two distinct sequences , the length distributions and differ. Note that no indistinguishability is required in that case and the ORAM can then reveal the access pattern of the input sequence.
To this end, we describe an ORAM with a constant overhead so that and the distribution encodes the sequence . The ORAM proceeds by performing every operation directly on the server followed by a read operation from address 1. After the last instruction in , the ORAM selects a random sequence of operations of length and if is lexicographically smaller than then the ORAM performs an extra read from address 1 before terminating. Note that this ORAM can be efficiently implemented using constant amount of internal memory by comparing the input sequence to the randomly selected one online. Also, the machine does not need to know the length of the sequence in advance. Finally, the length distribution is clearly different for each input sequence . Given that the above definition of ORAM of Goldreich and Ostrovsky allows the dummy construction with a constant overhead, we do not hope to extend our lower bound towards this definition.
One could object that the above dummy ORAM exploits the fact that indistinguishability of access sequences must hold only if the length distributions are identical. However, it is possible to construct a similar dummy ORAM with low overhead satisfying even the following relaxation of the definition requiring indistinguishability of access sequences corresponding to any pair of and for which and are statistically close (i.e., the indistinguishability is required for a potentially larger set of access patterns):
Relaxation of Goldreich-Ostrovsky security: For any two input sequences and , if the length distributions and are statistically close, then and are statistically close.
We show there is a dummy ORAM with a constant overhead such that for any two input sequences and which differ in their accessed memory locations, the statistical distance is at least (where and is the size of address range).
The ORAM works as follows. At the beginning, the ORAM picks and uniformly at random. Then for , it executes each of the input operations directly on the server. For each , it performs two additional reads from address 1 after executing the -th input operation. For , after the -th input operation it performs two additional reads from address 1 if , and it performs one additional read from address 1 if . For , it performs each of the input operations without any additional read.
It is straightforward to verify that the distribution of satisfies: for each , . Hence, for any pair and of two input sequences of length , if the sequences of addresses accessed by them differ then the statistical distance between the distributions of and is at least . If is polynomial in this means that their distance is at least . Thus, satisfies even the stronger variant of the definition from [GO96] even though its access sequence leaks the addresses from the input sequence.
It was previously shown by Haider, Khan and van Dijk [HKvD17] that there exists an ORAM construction which reveals all memory accesses from the input sequence while satisfying the definition of Goldreich and Ostrovsky from [GO96]. However, their construction has an exponential bandwidth overhead which makes it insufficient to demonstrate any issue with the definition of Goldreich and Ostrovsky. Clearly, any definition of ORAM can disregard constructions with super-linear overhead as a perfectly secure ORAM (with linear overhead) can be constructed by simply passing over the whole server memory for each input operation. Unlike the construction of [HKvD17], our constructions of the dummy ORAMs with constant bandwidth overhead exemplify that the definition of Goldreich and Ostrovsky from [GO96] is problematic in the interesting regime of parameters.
Simulation-based definitions.
The recent work of Asharov et al. [AKL*+*18] employs a simulation-based definition parameterized by a functionality which implements an oblivious data structure. Our lower bounds directly extend to their stronger definition when the functionality implements Array Maintenance. Moreover, our techniques can be adapted to give lower bounds for functionalities implementing stacks, queues and others considered in [JLN19].
Weak vs. strong computational security.
In this work, we distinguish between weak and strong computational security (see Definition 2.1). Our techniques do not allow to prove matching bounds for ORAMs satisfying the two notions and we show lower bound only w.r.t. strong computational security. Though, as we noted in Section 1.1, even the lower bound for online ORAMs satisfying weak computational security is an interesting result in the light of the work of Boyle and Naor [BN16]. It follows from [BN16] that any super-constant lower bound for offline ORAM would imply super-linear lower bounds on size of sorting circuits – which would constitute a major breakthrough in computational complexity. The main result from Boyle and Naor [BN16] can be rephrased using our notation as follows.
Theorem 5.1** (Theorem 3.1 [BN16]).**
Suppose there exists a Boolean circuit ensemble of size , such that each takes as input words each of size bits, and outputs the words in sorted order. Then for word size and constant internal memory , there exists a secure offline ORAM (as per Definition 2.8 [BN16]) with total bandwidth and computation .
Moreover, the additive factor of follows from the transpose part of the algorithm of [BN16] (see Figures 1 and 2 in [BN16]). As Boyle and Naor showed in their appendix (Remark B.3 [BN16]) this additive factor in total bandwidth may be reduced to if the size of internal memory is . Thus, sorting circuit of size implies offline ORAM with total bandwidth . Or the other way around, lower bound for total bandwidth of offline ORAM implies lower bound for circuits sorting words of size bits, each.
We leave it as an intriguing open problem whether it is possible to prove an lower bound for online ORAMs satisfying weak computational security.
Acknowledgements
We wish to thank Oded Goldreich for clarifications regarding the ORAM definitions in [Gol87, Ost90, GO96] and Jesper Buus Nielsen for clarifying the details of the lower bound for computationally secure ORAMs from [LN18]. We are also thankful to the anonymous TCC 2019 reviewers for insightful comments that helped us improve the presentation of our results.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[Ajt 10] Miklós Ajtai. Oblivious RA Ms without cryptographic assumptions. In Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, Cambridge, Massachusetts, USA, 5-8 June 2010 , pages 181–190, 2010.
- 2[AKL + 18] Gilad Asharov, Ilan Komargodski, Wei-Kai Lin, Kartik Nayak, Enoch Peserico, and Elaine Shi. Opt ORA Ma: Optimal oblivious RAM. IACR Cryptology e Print Archive , 2018:892, 2018.
- 3[BN 16] Elette Boyle and Moni Naor. Is there an oblivious RAM lower bound? In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, January 14-16, 2016 , pages 357–368, 2016.
- 4[CLP 14] Kai-Min Chung, Zhenming Liu, and Rafael Pass. Statistically-secure ORAM with õ(log 2 2 {}^{\mbox{2}} n) overhead. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014, Proceedings, Part II , pages 62–81, 2014.
- 5[CP 13] Kai-Min Chung and Rafael Pass. A simple ORAM. IACR Cryptology e Print Archive , 2013:243, 2013.
- 6[DMN 11] Ivan Damgård, Sigurd Meldgaard, and Jesper Buus Nielsen. Perfectly secure oblivious RAM without random oracles. In Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA, March 28-30, 2011. Proceedings , pages 144–163, 2011.
- 7[DMNS 06] Cynthia Dwork, Frank Mc Sherry, Kobbi Nissim, and Adam D. Smith. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006, Proceedings , pages 265–284, 2006.
- 8[FS 89] Michael L. Fredman and Michael E. Saks. The cell probe complexity of dynamic data structures. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA , pages 345–354, 1989.
