OblivCDN: A Practical Privacy-preserving CDN with Oblivious Content Access
Viet Vo, Shangqi Lai, Xingliang Yuan, Surya Nepal, Qi Li
TL;DR
OblivCDN addresses the dual challenge of content confidentiality and user access-pattern privacy in real-world CDNs by integrating range-ORAM based access with a data/metadata separation strategy and a distributed-trust oblivious client across two non-colluding computing service nodes near edge deployments. The design avoids heavy replication and trusted hardware, achieving practical latency and bandwidth performance, demonstrated by a 256 MB video download in 5.6 seconds and substantial speedups over strawman and prior OblivP2P approaches in intercontinental streaming scenarios. The authors provide formal security considerations for the CP, CSs, and ESs, along with rigorous complexity analyses and extensive experimental results, including oblivious building blocks benchmarks and real-world-style intercontinental simulations. Overall, OblivCDN delivers a deployable privacy-preserving CDN that blends compatibility with current CDN architectures, strong privacy guarantees, and scalable performance for streaming workloads.
Abstract
Content providers increasingly utilise Content Delivery Networks (CDNs) to enhance users' content download experience. However, this deployment scenario raises significant security concerns regarding content confidentiality and user privacy due to the involvement of third-party providers. Prior proposals using private information retrieval (PIR) and oblivious RAM (ORAM) have proven impractical due to high computation and communication costs, as well as integration challenges within distributed CDN architectures. In response, we present \textsf{OblivCDN}, a practical privacy-preserving system meticulously designed for seamless integration with the existing real-world Internet-CDN infrastructure. Our design strategically adapts Range ORAM primitives to optimise memory and disk seeks when accessing contiguous blocks of CDN content, both at the origin and edge servers, while preserving both content confidentiality and user access pattern hiding features. Also, we carefully customise several oblivious building blocks that integrate the distributed trust model into the ORAM client, thereby eliminating the computational bottleneck in the origin server and reducing communication costs between the origin server and edge servers. Moreover, the newly-designed ORAM client also eliminates the need for trusted hardware on edge servers, and thus significantly ameliorates the compatibility towards networks with massive legacy devices.In real-world streaming evaluations, OblivCDN} demonstrates remarkable performance, downloading a $256$ MB video in just $5.6$ seconds. This achievement represents a speedup of $90\times$ compared to a strawman approach (direct ORAM adoption) and a $366\times$ improvement over the prior art, OblivP2P.