Optimal Offline ORAM with Perfect Security via Simple Oblivious Priority Queues

TL;DR

We address offline ORAM with a known access sequence and construct the first asymptotically optimal offline ORAM achieving perfect security via a simple oblivious priority queue built from oblivious partitioning and k-selection. The priority queue supports Insert, Min, and DeleteMin with amortized $O(\log N)$ time and uses $O(N)$ space, and it is deterministic and perfectly secure. Building on this, we obtain external-memory instantiations with cache-aware and cache-oblivious I/O complexities of $Θ(\frac{1}{B} \log \frac{N}{M})$ per operation and $Θ(\frac{1}{B} \log \frac{N}{M} \log\log_M N)$, respectively. Overall, the results close the gap to statistical and computational security in offline ORAM and provide a practical, rigorous route to secure outsourcing with known access patterns.

Abstract

Oblivious RAM (ORAM) is a well-researched primitive to hide the memory access pattern of a RAM computation; it has a variety of applications in trusted computing, outsourced storage, and multiparty computation. In this paper, we study the so-called offline ORAM in which the sequence of memory access locations to be hidden is known in advance. Apart from their theoretical significance, offline ORAMs can be used to construct efficient oblivious algorithms. We obtain the first optimal offline ORAM with perfect security from oblivious priority queues via time-forward processing. For this, we present a simple construction of an oblivious priority queue with perfect security. Our construction achieves an asymptotically optimal (amortized) runtime of $Θ(\log N)$ per operation for a capacity of $N$ elements and is of independent interest. Building on our construction, we additionally present efficient external-memory instantiations of our oblivious, perfectly-secure construction: For the cache-aware setting, we match the optimal I/O complexity of $Θ(\frac{1}{B} \log \frac{N}{M})$ per operation (amortized), and for the cache-oblivious setting we achieve a near-optimal I/O complexity of $O(\frac{1}{B} \log \frac{N}{M} \log\log_M N)$ per operation (amortized).

Figures (4)

• Figure 1: Structure of the oblivious priority queue: Each level $i \in \lbrace0, \ldots, \ell - 1\rbrace$ consists of a down-buffer $D_i$ and an up-buffer $U_i$ half the size of $D_i$.
• Figure 2: Distribution of the elements when rebuilding level $m$: The up to $2^{m + 1}$ smallest elements in the levels $0, \ldots, m$ are distributed over the down-buffers of the first $m$ levels. The up to $2^m$ remaining elements are inserted into the (empty) up-buffer $U_{m + 1}$ of level $m + 1$.
• Figure 3: Pre-processing the sequence of memory access locations $I$ when $n$ is super-polynomial in $N$. In this figure, $\langle i, t\rangle$ denotes a tuple of index $i$ and time-stamp $t$ while $\tau_j(i)$ denotes the time-stamp at which the index $i$ is accessed next in block $j$.
• Figure 4: Groups $G_i$ (sorted by their respective medians $M[i]$) and the median of medians $m$ in \ref{['alg:ObliviousRankK']}. The elements marked orange are smaller than $m$ and the elements marked blue are at least as big as $m$.

Theorems & Definitions (15)

• definition 1: Obliviousness with Perfect Security
• definition 2: Offline ORAM
• corollary 1: Oblivious $k$-Selection via Lin.Shi.ea19Asharov.Komargodski.ea22
• lemma 1: Invariants
• proof : Proof of \ref{['lma:Invariants']}
• theorem 1: Optimal Oblivious Priority Queue
• proof
• theorem 2: Optimal Offline ORAM
• corollary 2: Optimal Cache-Aware Oblivious Partitioning via Asharov.Komargodski.ea22Lin.Shi.ea19
• proof