Privacy-Preserving Group Data Access

via Stateless Oblivious RAM Simulation

Michael T. GoodrichDept. of Computer Science

University of California, Irvinehttp://www.ics.uci.edu/~goodrich/

Michael MitzenmacherDept. of Computer Science

Harvard Universityhttp://www.eecs.harvard.edu/~michaelm/

Olga OhrimenkoDept. of Computer Science

Brown Universityhttp://www.cs.brown.edu/~olya/

Roberto TamassiaDept. of Computer Science

Brown Universityhttp://www.cs.brown.edu/~rt/

Abstract

We study the problem of providing privacy-preserving access to an outsourced honest-but-curious data repository for a group of trusted users.We show that such privacy-preserving data access ispossible using a combination of probabilistic encryp-tion, which directly hides data values, and statelessoblivious RAM simulation, which hides the patternof data accesses. We give simulations that have onlyan O(log n) amortized time overhead for simulatinga RAM algorithm, A, that has a memory of size n,using a scheme that is data-oblivious with very highprobability assuming the simulation has access to aprivate workspace of size O(nν), for any given fixedconstant ν > 0. This simulation makes use of pseudo-random hash functions and is based on a novel hier-archy of cuckoo hash tables that all share a commonstash. We also provide results from an experimentalsimulation of this scheme, showing its practicality.In addition, in a result that may be of some theo-retical interest, we also show that one can eliminatethe dependence on pseudorandom hash functions inour simulation while having the overhead rise to beO(log2 n).

1 Introduction

Companies offering outsourced data storage servicesare defining a growing industry, with competitorsthat include Amazon, Google, and Microsoft, whichare providing outsourced data repositories for indi-vidual or corporate users, with prices that amount topennies per gigabyte stored.

Clearly, the customers of such cloud computing ser-vices have an interest in security and privacy, par-ticularly for proprietary data. As a recognition ofthis interest, we note that, as of November 2010,the Amazon S3 and Microsoft Azure cloud platformhave achieved ISO 27001 certification and Google’scloud computing service has SAS70 certification. Inspite of these certifications, the companies that pro-vide outsourced data services nevertheless often havecommercial interests in learning information abouttheir customers’ data. Thus, the users of such sys-tems should also consider technological solutions formaintaining the privacy of their outsourced data inaddition to the assurances that come from certifica-tions and formal audits.

Of course, a key component for users to main-tain the privacy of their data is for them to storetheir data in encrypted form, e.g., using a group keyknown only to the set of users. Simply encryptingthe group’s data is not sufficient to achieve privacy,however, since information about the data may beleaked by the pattern in which the users access it.For example, at the Oakland 2010 conference, Chenet al. [8] show that highly sensitive data, such as fi-nancial and health information, can be inferred fromaccess patterns at popular financial and health websites even if the contents of those communications areencrypted.

1.1 Group Access to Outsourced Data

In this paper, we are interested in technological so-lutions to the problem of protecting the privacy of agroup’s data accesses to an outsourced data storagefacility. In this framework, we assume that a trusted

1

arX

iv:1

105.

4125

v1 [

cs.C

R]

20

May

201

1

group, G, of users shares a group key, K, with whichthey encrypt all their shared data that is stored at asemi-trusted data outsourcer, Bob. Furthermore, weassume that the users access their data according toa public indexing scheme, which Bob knows; hence,we can model Bob’s memory, M , as in the standardRAM model (e.g., see [1, 9, 14, 18]).

Each time a user, Alice, in G, accesses Bob’s mem-ory, she specifies an index i, and Bob responds withC = M [i]. Alice then performs the following (atomic)sequence of operations:

1. She decrypts C using K, producing the plaintextvalue, P = DK(C), that was stored in encryptedform at index i by Bob.

2. She optionally changes the value of P , dependingon the computation she is performing, producingthe plaintext value, P ′.

3. She encrypts P ′ using a probabilistic encryptionscheme based on K, producing ciphertext C ′ =EK(P ′).

4. She returns C ′ to Bob for him to store back inhis memory at index i; that is, she directs Bobto assign M [i]← C ′.

By using a probabilistic encryption scheme, the usersin the group G ensure that Bob is computationallyunable to determine the plaintext of any memory cellfrom that cell’s contents alone. Also, it is unfeasiblefor Bob to determine whether two memory cells storeencryptions of the same plaintext.

1.2 Stateless Oblivious RAM Simula-tion

In addition to using probabilistic encryption, theusers in the group G also need to hide their dataaccess patterns from Bob, so as to avoid inadvertentinformation leaks. To facilitate such information hid-ing, we formulate the privacy objective of the users inG in terms of the stateless oblivious RAM simulationproblem.

In this framework, we model the group G as a sin-gle user, Alice, who has a register holding the keyK and a CPU with a private cache. Alice’s interac-tions with Bob occur in discrete episodes in which shereads and writes a set of cells in his memory, usingprobabilistic encryption, as described above, to hidedata contents. Alice’s cache may be used as a privateworkspace during any episode, but it cannot storeany information from one episode to the next. Thisrequirement is meant to model the fact that Alice is

representing a group of users who do not communi-cate outside of their shared access to Bob’s memory.That is, each episode could model a consecutive setof accesses from different users in the group G. More-over, this requirement is what makes this framework“stateless,” in that no state can be carried from oneepisode to the next (other than the state that is main-tained by Bob).

To allow the group of users, which we model by thestateless Alice, to perform arbitrary computations onthe data they share and outsource to Bob, we assumethat Alice is simulating a RAM computation. We alsoassume the service provider, Bob, is trying to learn asmuch as possible about the contents of Alice’s datafrom the sequence and location of all of Alice’s mem-ory accesses. As mentioned above, however, he can-not see the content of what is read or written (sinceit is probabilistically encrypted). Moreover, Bob hasno access to Alice’s private cache. Bob is assumed tobe an honest-but-curious adversary [12], in that hecorrectly performs all protocols and does not tamperwith data.

We say that Alice’s sequence of memory accessesis data-oblivious if the distribution of this sequencedepends only on n, the size of the memory used bythe RAM algorithm she is simulating, m, the sizeof her private cache, and the length of the access se-quence itself. In particular, the distribution of Alice’smemory accesses should be independent of the datavalues in the input. Put another way, this definitionmeans that Pr(S |M), the probability that Bob seesan access sequence, S, conditioned on a specific con-figuration of his memory, M , satisfies

Pr(S |M) = Pr(S |M ′),

for any memory configuration M ′ 6= M such that|M ′| = |M |.

Examples of data-oblivious access sequences for anarray, A, of size n, in Bob’s memory, include the fol-lowing:

• Scanning A from beginning to end, accessingeach item exactly once, for instance, to computethe minimum value in A, which is then stored inA[1].

• Simulating a Boolean circuit, C, with its inputstaken in order from the bits of A.

• Accessing the cells of A according to a ran-dom hash function, h(i), as A[h(1)], A[h(2)],. . ., A[h(n)], or random permutation, π(i), asA[π(1)], A[π(2)], . . ., A[π(n)].

Examples of computations on A that would not bedata-oblivious include the following:

2

• Scanning A from beginning to end, accessingeach item exactly once, to compute the indexi of the minimum value in A, and then readingA[i] and writing it to A[1].

• Using a standard heap-sort, merge-sort, or quick-sort algorithm to sort A. (None of these well-known algorithms is data-oblivious.)

• Using values in A as indices for a hash table, T ,and accessing them as T [h(A[1])], T [h(A[2])], . . .,T [h(A[n])], where h is a random hash function.For example, consider what happens if the valuesin A are all equal and how unlikely the resultingcollision in T would be.

Note that this last example access pattern actuallywould be data-oblivious if the elements in A were al-ways guaranteed to be distinct, assuming the randomhash function, h, satisfies the standard assumptionsof the random oracle model (e.g., see [6]).

1.3 Related Prior Results

Data-oblivious sorting is a fundamental problem(e.g., see Knuth [19]), with deterministic schemes giv-ing rise to sorting networks, such as the impracti-cal O(n log n) AKS network [2, 3, 25, 29] as well aspractical, but theoretically-suboptimal, sorting net-works [20, 28]. Randomized data-oblivious sorting al-gorithms running in O(n log n) time and succeedingwith high probability1 are studied by Leighton andPlaxton [21] and Goodrich [15]. In addition, data-oblivious sorting is finding applications to privacy-preserving secure multi-party computations [30], andit is used in all the known oblivious RAM simulationschemes (including the ones in this paper).

In early work on the topic of oblivious simula-tion, Pippenger and Fischer [27] show that one cansimulate a Turing machine computation of lengthn with an oblivious Turing machine computation oflength O(n log n), that is, they achieve an amortizedO(log n) time and space overhead for this oblivioussimulation.

More recently, Goldreich and Ostrovsky [13] showthat a RAM computation using space n can be simu-lated with an oblivious RAM with an amortized timeoverhead of O(log3 n) per step of the original RAMalgorithm and space overhead of O(log n). Goodrichand Mitzenmacher [16] improve this result by showingthat any RAM algorithm, A, can be simulated in adata-oblivious fashion, with very high probability, in

1In this paper, we take the phrase “with very high proba-bility” to mean that the probability is at least 1 − O(1/nd),for any given fixed constant d ≥ 1.

an outsourced memory so that each memory accessperformed by A has a time overhead of O(log2 n),assuming Alice’s private cache has size O(1). Theirscheme has a space overhead of O(1). Incidentally,in the recent CRYPTO 2010 conference, Pinkas andReinman [26] also claim an oblivious RAM simula-tion result having a time overhead of O(log2 n), butthere is a flaw in this version of their scheme2.

In addition to these stateless oblivious RAM sim-ulation schemes, Williams and Sion [31] show how tosimulate a RAM computation with an oblivious RAMwhere the data owner, Alice, has a stateful privatememory of size O(

√n), achieving an expected amor-

tized time overhead of O(log2 n) using O(n log n)memory at the data provider. In addition, Williamset al. [32] claim a method that uses an O(

√n)-sized

private cache and has O(log n log log n) amortizedtime overhead, but Pinkas and Reinman [26] haveraised concerns with the assumptions and analysis ofthis result.

Goodrich and Mitzenmacher [16] provide a statefulRAM simulation scheme that achieves an overheadof O(log n) and is oblivious with very high probabil-ity. Their scheme assumes that Alice maintains statefrom one episode to the next in a private cache of sizeO(nν), for any given fixed constant ν > 0. Boneh etal. [7] also propose a scheme that uses a state. Theyachieve an amortized overhead of O(1) but using astate of size O(

√n log n). However, this state is es-

sential to the efficiency of both simulation schemes.Thus, these methods are not applicable to the prob-lem of providing privacy-preserving group access toan outsourced data repository.

Returning to stateless oblivious RAM simulation,we note that Ajtai [4] has a recent oblivious RAMsimulation result that shows that a polylogarithmicfactor overhead in time and space is possible with-out cryptographic assumptions about the existenceof random hash functions, as is done in the previousoblivious RAM simulation cited above. Damgard etal. [10] improve this result further, showing that atime overhead of O(log3 n) is possible for obliviousRAM simulation without using random functions.

In addition to the above-mentioned upper-boundresults, Beame and Machmouchi [5] show that if theadditional space utilized in the simulation (besidesthe space for the data itself) is sufficiently sublinear,then the overhead for oblivious RAM simulation hasa superlogarithmic lower bound. Such bounds don’t

2The scheme of Pinkas and Reinman allows the adversary,Bob, to distinguish with high probability an access sequencethat reads the same memory location over and over from onethat accesses each memory cell exactly once. This flaw is ex-pected to be repaired in the journal version of their paper.

3

Table 1: Comparison of Oblivious RAM simulations.

UserMemory

User StateSize

Server StorageAmortized Access

Overhead

Goldreich and Ostrovsky [13] O(1) - O(n log n) O(log3 n)Williams and Sion [31] O(

√n) O(

√n) O(n log n) O(log2 n)

Goodrich and Mitzenmacher [16] (1) O(1) - O(n) O(log2 n)Goodrich and Mitzenmacher [16] (2) O(nν) O(nν) O(n) O(log n)

Boneh et al. [7] O(√n log n) O(

√n log n) O(n) O(1)

Our result O(nν) - O(n) O(log n)Our result (w/o random oracle) O(nν) - O(n) O(log2 n)

apply, of course, to a simulation that uses O(n) addi-tional memory, as is common in the efficient schemesmentioned above.

We provide a summary of the Oblivious RAM sim-ulation schemes and compare with ours in Table 1.3.Note that the schemes that maintain a state cannotbe used to hide a pattern of access by a group of userswhich is one of the challenges we address in this pa-per.

1.4 Our Results

We give an efficient method for simulating any RAMalgorithm, A, in a stateless fashion with a time over-head of O(log n) and space overhead of O(1), using anaccess sequence that is data-oblivious with very highprobability, where n is the size of the RAM memory.Our methods assume that Alice has a private cache ofof size O(nν), for any given fixed constant ν > 0, butshe uses this cache only as a private “scratch space”to support computations she performs during eachepisode. Alice is not allowed to maintain state in herprivate memory from one episode to the next. Thus,this simulation scheme is applicable to the problemof simulating access to a shared data repository bya group of cooperating users that all share a secretkey. Moreover, the assumption about the size of Al-ice’s scratch space is motivated by the fact that evenhandheld devices have a reasonable amount of localmemory. For example, if we were to set ν = 1/4,then our simulation would allow a collection of de-vices having memories with sizes on the order of onemegabyte to support privacy-preserving access to anoutsourced data repository whose size is on the orderof one yottabyte.

Like the previous oblivious RAM simulationschemes mentioned above, our scheme uses a hier-archy of hash tables, together with a small set ofpseudorandom hash functions, to obfuscate the ac-cess pattern of the algorithm A (which need not be

specified in advance). The main idea of our scheme isto maintain these hash tables as cuckoo hash tablesthat all share a single stash of size O(log n). Whileconceptually simple, this approach requires a new,non-trivial analysis for a set of cuckoo tables sharinga common stash. In addition, an important techni-cal detail that simplifies our construction is that wemake no use of so-called “dummy” elements, whereasthe previous schemes used such elements.

In practice, the set of pseudorandom hash func-tions could be implemented using, e.g., keyed SHA-256 functions [11]. Nevertheless, we also show thatour construction can be used to simulate a RAM com-putation with an overhead of O(log2 n) without theuse of pseudorandom functions, which may be of sometheoretical interest.

Finally, we provide experimental results for a sim-ulation of our scheme, which show the practical effec-tiveness of the approach of using a shared stash. Inparticular, our experimental prototype simulates thedynamic evolution of the hierarchy of hash tables andour experimental analysis shows the threshold valuesat which the shared stash becomes effective.

2 Theory Background

For our results, we rely on general methods for data-oblivious simulation of a non-oblivious algorithm ona RAM. As mentioned above, the seminal theoreti-cal framework for such simulations was presented byGoldreich and Ostrovsky [13], who store keys in a hi-erarchy of hash tables of increasing size, each beingtwice the size of the previous one. For n items thereare O(log n) levels, each level being a standard hashtable with 2i buckets for some i, and each bucketcontaining up to O(log n) keys in order to cope withcollisions within the hash table. In this constructionthe total size of all the tables is O(n log n). To per-form a lookup, the first level is scanned sequentially,

4

and in each of the other levels, a bucket chosen bythe hash function for that level acting on the key(or, if the item is found at an earlier level, a randomdummy key) is scanned. The item is subsequently re-encrypted and re-inserted into the first level. It is im-portant to note that at all levels a bucket is scannedeven if the key is found early, to maintain oblivious-ness. As levels fill, keys must be shifted down tosubsequent levels. The details of the original schemeare rather complex; for further details see the originalpaper [13].

Recently, a more efficient simulation approach forthis problem was outlined by Goodrich and Mitzen-macher [16]. The primary difference in this new lineof work is the use of cuckoo hash tables in place thestandard hash tables used originally in [13]. Wetherefore now present some background on cuckoohashing.

As introduced by Pagh and Rodler [24], in standardcuckoo hashing we utilize two tables, each with mcells, with each cell capable of holding a single key.We make use of two hash functions h1 and h2. Weassume that the hash functions can be modeled ascompletely random hash functions. The tables storeup to n items, where m = n(1 + ε) for some constantε > 0, yielding a load of (just) less than 1/2; keyscan be inserted or deleted over time as long as thisrestriction is maintained.

A key x (which we may also refer to as an “item”or “element”) that is stored in the hash tables mustbe located at either h1(x) or h2(x). As there are onlytwo possible locations for a key, lookups take constanttime. To insert a new key x, we place x in the cellh1(x). If the cell had been empty, the operation iscomplete. Otherwise, key y previously in the cell ismoved to h2(y). This may in turn require anotherkey to be moved, and so on, until a key is placedin an empty cell. We say that a failure occurs if,for an appropriate constant c, after c log n steps thisprocess has not successfully terminated. Suppose weinsert an nth key into the system. It is known that:

• The expected time to insert a new key is boundedabove by a constant (that depends on ε).

• The probability that a new key causes a failure isΘ(1/n2) (where the notation hides a dependenceon ε).

See Figures 1 and 2 for examples.Before considering ways to reduce the probabil-

ity of failures to something more suitable, we brieflymention that there are several natural variations ofcuckoo hashing, many of which are described in a sur-vey article by Mitzenmacher [22]. Variations include

A B F C

E D

G

E G B F C

A D

Figure 1: The top of the figure represents a cuckoohash table. Keys are placed in one subtable; the ar-row for each key points to the alternate location forthe key in the other subtable. Key G is inserted,leading to the movement of several other keys for Gto be placed, as shown in the bottom of the figure.

A B C

E D F

G

Figure 2: Key G is to be inserted, but it cannot beplaced successfully. (Seven keys have only six loca-tions.) This leads to a failure, or if there is a stash,then G can be placed in a stash.

using more than two choices, using cells that holdmore than one key, and so on. For our purposes, itsuffices to understand standard cuckoo hashing, alongwith idea of a stash [17].

A stash represents additional memory where keysthat would cause a failure can be placed in order toavoid the failure; with a stash, a failure occurs onlyif the stash itself overflows. As shown in [17], thefailure probability when inserting the nth key intoa cuckoo hash table can be reduced to O(1/nk+2)for any constant k by using a stash that can holdk keys. Using this allows us to use cuckoo hash ta-bles for any polynomially bounded number of insertsand deletions using only a constant-sized stash. Tosearch for an item, we must search both the two tablelocations and the k stash locations. In the context of

5

oblivious simulation, we can search the stash simplyby reading each stash location.

As we have stated, however, in order to perform ouroblivious simulation, we will make use of a hierarchyof cuckoo hash tables to hold n items. The small-est of these hash tables may be much smaller thann, which can lead to problems in our setting3. Forexample, if the smallest hash table is of size x, theneven using a stash of size k leads to a failure probabil-ity of O(1/xk+2). If x is for example polylogarithmicin n, then for any constant k, the failure probabilityis Ω(1/n), and therefore over the insertion of n items,we would expect failures to occur. In order to dealwith this problem, Goodrich and Mitzenmacher [16]extend the analysis of [17] to stashes of logarithmicsize, showing that even for suitably large table sizesx that are only polylogarithmic in n, and stashes ofsize k = O(log n), the failure probability is O(x−αk)for a suitable constant k. This suffices to yield super-polynomially small failure rates.

In fact, we need to extend this result even fur-ther here. In [16], Goodrich and Mitzenmacher use alogarithmic-sized stash at each level. We explain herethat it suffices to use a single logarithmic-sized stashfor all levels. That is, while there’s a non-trivial prob-ability of at least one layer in our hierarchy requiringa stash of size Ω(1), over the logarithmic number oflayers only a stash of logarithmic size is actually nec-essary. We will use this in our construction in Sec-tion 3. We now briefly explain why, if we considerthe sum of the number of items placed in the stashat all possible levels in our construction, this will beat most O(log n) with high probability.

The key is the following argument. As shown in[16], at a level of size x cells (where x is Ω(log7 n)),the probability that the stash for that level exceeds atotal size s is x−Ω(s). Further, as long as the hashesfor each level in our construction are independent,we can treat the required stash size at each level isindependent, since the number of items placed in thestash at a level is then a random variable dependentonly on the number of items appearing in that level.

Now consider any point of our construction andlet Si be the number of items at the ith level thatneed to be put in the stash. It is apparent that Sihas mean less than 1 and tails that can be domi-nated by a geometrically decreasing random variable.This is sufficient to apply standard Chernoff bounds.Formally, let X1, X2, . . . , X` be independent randomvariables with mean 1 geometrically decreasing tails,so that Xi = j with probability 1/2j for j ≥ 1. Thenthe calculations of [16] imply that the Xi stochasti-

3This is also at the heart of the flaw in the CRYPTO2010version of the Pinkas and Reinman paper [26].

cally dominate the Si, and we can now apply standardChernoff bounds for these random variables. Specifi-cally, noting thatXi can be interpreted as the numberof fair coin flips until the first heads, we can think ofthe sum of the Xi as being the number of coin flipsuntil the `th head, and this dominates the numberof items that need to be placed in the stash at anypoint. When ` = O(log n), as is the case here asthere are only O(log n) levels of hash tables in ourconstruction, then for any constant γ1 there exists acorresponding constant γ2 such that the `th head oc-curs by the (γ2 log n)’th flip with probability at least1−1/nγ1 . (See, for example, [23, Chapter 4].) Hencewe can handle any polynomial number of steps withhigh probability, using a stash of size only O(log n)that holds items from all levels of our construction.

3 Simulating a RAM Algo-rithm Obliviously

In this section, we describe and analyze two schemesfor stateless oblivious RAM simulation.

3.1 Simulation Using PseudorandomFunctions

We begin with a construction that uses pseudoran-dom functions and is secure against a polynomiallybounded adversary.

Given a RAM algorithm, A, the main goal of ouroblivious simulation of A is to hide the pattern ofmemory accesses that are made by A. As mentionedin Section 2, we follow the general framework intro-duced by Goldreich and Ostrovsky [13], which uses ahierarchy of hash tables.

Let n be the number of memory cells of the RAM.We view each such cell as an item consisting of a pair(x, v), where x ∈ 0, · · · , n− 1 is the index and v isthe corresponding value. Our data structure storedat the server has three components, illustrated in Fig-ure 3. The first component is a cache of size O(log n),denoted by Q. The second component is a hierarchyof cuckoo hash tables, T = (T1, . . . , TL), where thesize of T1 is twice the size of Q, each table Ti+1 istwice the size of table Ti, and TL is the first tablein the sequence of size greater than or equal to n.Thus, L is O(log n). The third component is a stash,S, shared between all the above cuckoo tables.

RAM items are stored in the data structure in en-crypted form. We use a semantically secure prob-abilistic encryption scheme, which results in a dif-ferent ciphertext for the same item each time it isre-encrypted. Also, the server is unable to determine

6

Q Scache shared stash

cuck

oo

tab

les

…

T1

T2

T3

T4

Figure 3: Illustration of the data structure stored at the server for oblivious RAM simulation using pseudo-random functions. In the access phase of the simulation, all the items in the cache, Q and the stash, S, plustwo items for each cuckoo table Ti are read by the server. The locations accessed by the server are visualizedas gray-filled rectangles.

whether two ciphertexts correspond to the same item.The stash S is handled in a similar manner wheneverwe search in it for an item.

We use a family of pseudorandom functions param-eterized by a secret value, ki, for each table, Ti, suchthat no value ki is revealed to the server. In particu-lar, ki is stored in encrypted form for each table Ti,so that each user can read ki, decrypt it, and thenuse it to provide the two hash functions, h1 and h2,employed by the cuckoo table, Ti, to determine thelocation of items. In particular, a memory item (x, v)is mapped to locations h1(x) and h2(x) in Ti by thecuckoo scheme (and stored in one of these two loca-tions or in the common stash, S).

The data structure is initialized by storing all the nRAM items into cuckoo table TL. Each memory ac-cess defined by algorithmA corresponds to an episodein our simulation. An episode consists of two phases,an access phase and a rebuild phase.

Suppose algorithm A calls for an access to memoryitem (x, v). The access phase consists of a search forx in the cache, Q, then in the stash, S, and contin-ues with a two-cell cuckoo lookup in each of T1 toTL until we find the first item with index x. Once wehave found this item, we have achieved the goal of oursearch, of course. Nevertheless, for the sake of obliv-iousness, we simulate continuing the search through-out the entire data structure. Namely, we alwaystraverse completely Q and S, and we perform two-cell cuckoo accesses in tables T1 through TL. How-ever, after the item is found, we simply access twodistinct, independent uniformly chosen random loca-tions in each remaining cuckoo table.

Once we have completed the access phase, whichtakes O(log n) time, we then switch to the rebuildphase. We begin by adding or replacing a copy ofthe found item into cache Q, possibly changing itsvalue in the case of a write operation. To assureobliviousness, we exhaustively scan Q in a sequen-tial manner and re-encrypt and rewrite all its items.Thus, the server cannot distinguish which item wasaccessed and whether it was modified.

We note briefly that if the item is in the stash,we can obliviously remove it from the stash whenplacing it into Q, to help make sure the stash doesnot overflow. One natural approach is to have stashcells have an associated “clean” or “dirty” bit, whichis encrypted along with the rest of the item. A cleancell can store an item; a dirty cell is currently beingutilized. When an item is found and replaced into Q,we can set the cell to clean in the stash.

After adding enough items, cache Q will eventuallyoverflow. We remedy the overflow by moving all theelements of Q to cuckoo table T1, including those as-sociated with empty locations. However, in order tomaintain obliviousness, we do not wait for an overflowto occur and instead perform the move after a numberof accesses equal to the size of Q. The moving downof elements cascades down through the hierarchy ofcuckoo tables at a fixed schedule by periodically mov-ing the elements of Ti−1 into Ti at the earliest timeTi−1 could have become full. Also, suppose that weare going to move elements into table Ti for the sec-ond time, then we instead move the elements intotable Ti+1. Moreover, we continue applying this rulefor i = 1, 2, . . ., until we are copying the elements

7

into a table for the first time or we reach TL. Thus,the process of copying elements into a cuckoo tableoccurs at deterministic instances, depending only onthe place we currently are at in the access sequencespecified by algorithm A.

In order to move m elements from a table Ti intoa cuckoo hash table Ti+1 obliviously, we use an algo-rithm of [16] to obliviously sort the items using O(m)accesses to the outsourced memory, assuming we havea private workspace of size O(nν), for some constantν > 0, and m ≥ log n, which is always true in ourcase. This allows us to remove duplicate items anduse another algorithm of [16] to obliviously constructa cuckoo table of size m and an associated stash, S′,of size O(log n) in O(m) time, with very high prob-ability, while utilizing the private workspace of sizeO(nν). Given this construction, we then read S andS′ into our private workspace, remove any duplicatesand merge them into a single stash S (which will suc-ceed with very high probability, based on the anal-ysis we have given above), and write S back out ina straightforward oblivious fashion. Note that in or-der to assure obliviousness in subsequent lookups, ta-ble Ti+1 is rebuilt using two new pseudorandom hashfunctions selected by the client by replacing parame-ter ki+1 with a new secret value.

Any access performed in our simulation will even-tually lead to O(log n) table rebuilds, with each el-ement in a rebuild being charged with a constantamount of work; hence, the total amortized over-head of all rebuild phases is O(log n). Therefore, thetotal amortized time overhead of the entire simula-tion is O(log n). Moreover, it is easy to see that thespace used by the data structure stored at the serveris O(n).

Let us therefore consider the obliviousness of thisscheme. As we have already observed, the rebuildphase is clearly oblivious, so any potential dependen-cies on input values would have to come in the accessphase. Recall that in the access phase, we search inS, Q, and do a two-table cuckoo access in T1, . . . , TL.Moreover, because we move the found item into Q af-ter each access, and we switch to performing randomtable lookups once we have found the item, we areguaranteed never to repeat a two-cell cuckoo lookupin any table, Ti, for the same item x. In addition,each such lookup is an independent uniformly ran-dom access to a table (either from our assumptionabout h1 and h2 being distinct random hash functionsfor each table or because we already found the itemand are making random accesses explicitly). We per-form O(|Ti|) such lookups before we empty Ti; hence,the obliviousness of our access sequence depends onthe inability of the adversary, Bob, of telling if we

are doing a search for an actual item or performinga random access for the sake of obliviousness. Thatis, with high probability, Bob should not be able todetermine whether the item was in S, Q, or some Tiat the point we found it. Note that this ability de-pends solely on whether or not the O(|Ti|) accesseswe made to Ti, together with searches in the sharedstash S, would correspond to valid cuckoo lookups inTi for some set of items. Of course, this is the sameas the event that inserting all these elements into Tiwould form a valid cuckoo table, with shared stash S,which we have already observed (in Section 2) is anevent that occurs with very high probability. Thus,our scheme is oblivious with very high probability.

3.2 Simulation Without Pseudoran-dom Functions

We can adapt our simulation to avoid the use of ran-dom functions by employing an elegant trick due toDamgard et al. [10], albeit now further simplified toavoid the use of dummy nodes, which would add anextra level of complication that our scheme doesn’trequire.

The main idea is to place a complete binary tree, B,on top of all the memory cells used in the algorithmA, and access each memory cell x by performing abinary search from the root of B to the leaf node cor-responding to x. That is, we associate each memorycell item used by A with a leaf of B, define B tohave height dlog ne, and include information at eachinternal node v of B so that a search for x can deter-mine in O(1) time whether to proceed with the leftchild or right child of v. In our case, we store eachof the nodes of B in our hierarchy of tables, similarto what is described above, with the shared stash, S,the cache, Q, and the set of cuckoo tables, T1 to TL.(See Figure 4.)

The main difference of this scheme with that givenabove is that in this case we no longer use randomhash functions, h1 and h2, to determine the loca-tions of each element x in a cuckoo table Ti. In-stead, we simply choose two distinct, independentuniformly random locations, i1 and i2, in the respec-tive two sides of Ti and associate these with x as atuple (x, i1, i2), which now represents the element xin our table.

Initially, all the nodes of B are stored in this wayin TL, and for each such internal node v, we includein v’s record pointers to the two random indices (andtable index) for v’s left child and pointer to the tworandom indices (and table index) for v’s right child.Such pointers can be built obliviously by O(1) callsto oblivious sorting once we have placed all the nodes

8

Q Scache shared stash

cuck

oo

tab

les

…

T1

T2

T3

T4 …

B:r root r

Memory addresses for the RAM algorithm, A

Figure 4: Illustration of the data structure stored at the server for oblivious RAM simulation without usingpseudorandom functions. The binary tree is shown conceptually on the right and in terms of the storagelocations of its nodes on the left. The storage locations for the nodes of the binary tree, B, are visualized asgray-filled rectangles. In the access phase of the simulation for a non-root node, all the items in the cache,Q and the stash, S, plus two items for each cuckoo table Ti are read by the server.

into TL. Moreover, we will maintain such pointersthroughout our simulation. In addition, we store theroot r of B separately, as it is accessed in every stepof our simulation.

Let us consider, therefore, how an access now oc-curs. The critical property, which we maintain in-ductively, is that, for each node v in B, which, say, isstored in Tj as its earliest (highest) location in our hi-erarchy, all the ancestors of B are stored in the tablesT1, . . . , Tj , or in r, S, or Q.

Our access for a memory cell x now occurs as aroot-to-leaf search in B. We begin by searching inr to identify the two random indices and the tableindex for each of r’s children. Based on the valueof x, we need to search next for either the left orright child of r, so let i1 and i2 be the two randomindices for this node, w, and let j be the index of thehighest table Tj storing w (with j = 0 if w ∈ Q andj = −1 if w ∈ S). We next search in S and Q forw, and then proceed in T1 through TL. Of course,we already know the table where we will find w. So,for each table Tk with k 6= j, we simply access tworandom locations in Tk for the sake of obliviousness.For Tj itself, we look in locations Tj [i1] and Tj [i2] tofind the cell containing the record for w. If w is not aleaf node, we repeat the above lookup search for theappropriate child of w that will lead us to the nodestoring x.

Once we have done our lookup for x, and have ac-cessed a root-to-leaf set of nodes,

W = w1, w2, . . . , wlogn,

in the process, we perform a rebuild phase for W ,as in the above construction based on random hashfunctions, except that we use random locations for allthe nodes we move rather than use random functions.Note that by our induction hypothesis, if we move aset of nodes into a table Ti, then all the pointers forthese nodes are either in Ti itself (hence, can be iden-tified after O(1) calls to oblivious sorting, which takesO(n) memory accesses by the algorithm of [16]) or atlower levels in the hierarchy (hence, these pointersdon’t change by our move into Ti). Moreover, all thenodes of W move as a group. Thus, any root-to-leafpath in B must be stored in the tables T1 to TL, plusthe queue Q and stash S, in a way that satisfies ourinduction hypothesis.

The lookup for an element x now requires search-ing for O(log n) nodes of B in our hierarchy, whichcosts an amortized overhead of O(log n) time each.Thus, each lookup costs us an amortized overheadof O(log2 n) time. The obliviousness of this simula-tion follows from an argument similar to that givenabove for the obliviousness for our method that usesrandom hash functions. Therefore, we can performa stateless oblivious RAM simulation without usingrandom hash functions with an amortized time over-head of O(log2 n), assuming a private workspace ofsize O(nν) for some constant ν > 0.

9

4 Performance

We have implemented a preliminary prototype of ourmethod for oblivious RAM simulation based on pseu-dorandom functions (Section 3.1) with the goal of es-timating the size of the stash S needed to avoid fail-ures during the rebuild phase. A failure can happenwhen we move elements from table Ti to Ti+1 andthe stash overflows, in which case we need to rebuildtable Ti+1. In this section we present experimentalresults and show that for a small constant s, a stashof size s log n is enough to avoid failures.

Our prototype simulates the dynamic evolution ofthe hierarchy of hash tables during the access and re-build phases, omitting the steps that maintain obliv-iousness (e.g. copying the stash to the client’s side).We maintain a stash S, a cache Q of size log n anda hierarchy of O(log n) cuckoo hash tables T1 to TL,where L is the smallest i such that 2i log n ≥ n. Ticonsists of two hash tables of size (1 + ε)2i log n withhash functions hi1 and hi2. Every memory access is fol-lowed by the insertion of the corresponding elementinto Q. If the item was retrieved from stash S, it isfirst copied to Q and then is removed from S. Wemove all the elements of Q to T1 when the numberof performed accesses is a multiple of log n. Simi-larly, we move all the elements of Ti to Ti+1 when thenumber of performed accesses is a multiple of 2i log n.New hash functions are picked for both tables duringthis phase. During the insertion, an item is placedinto the stash if after c log n moves it has not foundan empty cell in the table; we experiment using c = 2.We insert an item into the stash only if it is not al-ready present there.

Our prototype is implemented in Java. Togenerate hash functions we use a variation ofa method recommended in [11], where hi1(x) =SHA256(x || seed1

i ) mod n, and similarly for hi2.The seeds are 64-bit long and were obtained usinga SHA256 hash chain starting from an initial seed.

We emphasize that in any implementation of ourmethod there are various tradeoffs. For example,increasing the space (that is, using larger values ofε) reduces the average time for an insertion and thefailure probability, as it reduces the frequency withwhich items have to be put in the stash. Increasingthe stash size reduces the failure probability at theexpense of additional time to examine the stash ateach step. Increasing the number of moves allowedbefore placing an item in the stash increases the timebut lowers the failure probability. Our purpose hereis not to explore this broad range of tradeoffs, but todemonstrate the feasibility of this approach; explor-ing finer tradeoffs is left as future work.

We ran our simulation for up to 1024K (K = 1000)RAM items and a varying number of requests. Ourexperiments use a value of ε of 0.1 and 0.2. For eachexperiment we recorded the lowest size of S that isneeded to avoid a failure. In Figures 5 and 6 we showthe fraction of trials out of 1000 that result in thestash overflow. Comparing the two figures, we seethat overflows happen substantially more frequentlywith ε = 0.1 than with ε = 0.2, as one would expectsince smaller tables lead to more collisions. Indeed,for ε = 0.2 we found a stash size of less than log nwas enough to avoid overflows completely in our lim-ited experiments. Also, a higher number of requestsrequires a slightly bigger stash since rebuilding hap-pens more often, leading to a larger maximum stashrequirement. While much more extensive experimen-tation would be needed to determine suitable stashsizes that would avoid stash overflow for numbers oftrials many orders of magnitude larger, recall thatthe probability of an additional item needing to beplaced in a stash in a standard cuckoo table falls veryquickly. We thus expect only slightly larger stashsizes for such improvements in robustness.

0

0.2

0.4

0.6

0.8

1

5 10 15 20 25

Fail

ure

rate

Stash size

n=32K r=32K

n=32K r=64K

n=128K r=128K

n=128K r=256K

n=1024K r=1024K

n=1024K r=2048K

Figure 5: Failure rate in 1000 trials for n items andr requests with c = 2, ε = 0.1.

5 Conclusion

We have given schemes for achieving privacy-preserving access, with very high probability, to anoutsourced data repository for a group of trustedusers. Our scheme assumes each user has a mod-est amount of private memory, of size O(nν), forany given fixed constant ν > 0, which is used asa workspace for private computation and carries no

10

0

0.2

0.4

0.6

0.8

1

2 4 6 8 10 12 14

Fail

ure

rate

Stash size

n=32K r=32K

n=32K r=64K

n=128K r=128K

n=128K r=256K

n=1024K r=1024K

n=1024K r=2048K

Figure 6: Failure rate in 1000 trials for n items andr requests with c = 2, ε = 0.2.

state from one interaction with the data repository tothe next. Assuming the existence of pseudorandomhash functions, say implemented as keyed SHA-256functions in practice, our protocol has an O(log n)amortized time overhead and an O(1) space over-head. Moreover, our experiments show that this pro-tocol would be effective in practice. If pseudorandomhash functions are not to be used, then we show thatour protocol can be adapted to have an overhead ofO(log2 n).

There are several directions for future work, includ-ing the following:

• Our protocols assume that the manager of thedata repository, Bob, is honest-but-curious.

– Can our schemes be efficiently adapted tothe case where Bob is only semi-trusted?

– Can we efficiently handle a situation whereBob acts maliciously against some users?

– Can we prevent Bob from performing a re-play attack on some users using old versionsof his memory?

• Our protocols also assume that the members ofthe group of cooperating users are all trusted.

– What if some of the members of the groupare malicious?

– What if some of them collude with Bob totry to reveal the access patterns of otherusers?

Acknowledgments

This research was supported in part by the NationalScience Foundation under grants 0724806, 0713046,0847968, 0953071, and 1012060.

References

[1] A. V. Aho, J. E. Hopcroft, and J. D. Ullman,Data Structures and Algorithms. Reading,MA: Addison-Wesley, 1983.

[2] M. Ajtai, J. Komlos, and E. Szemeredi, “AnO(n log n) sorting network,” in Proc. ACMSymposium on Theory of Computing (STOC),1983, pp. 1–9.

[3] ——, “Sorting in c log n parallel steps,”Combinatorica, vol. 3, pp. 1–19, 1983.

[4] M. Ajtai, “Oblivious RAMs withoutcryptographic assumptions,” in Proc. ACMSymposium on Theory of Computing (STOC).ACM, 2010, pp. 181–190.

[5] P. Beame and W. Machmouchi, “Making RAMsoblivious requires superlogarithmic overhead,”Electronic Colloquium on ComputationalComplexity, Report TR10-104, 2010,http://eccc.hpi-web.de/report/2010/104/.

[6] M. Bellare and P. Rogaway, “Random oraclesare practical: a paradigm for designing efficientprotocols,” in Proc. ACM Conference onComputer and Communications Security(CCS). New York, NY, USA: ACM, 1993, pp.62–73.

[7] D. Boneh, D. Mazieres, and R. A. Popa,“Remote oblivious storage: Making obliviousRAM practical,” Technical Report, 2011,http://dspace.mit.edu/handle/1721.1/62006.

[8] S. Chen, R. Wang, X. Wang, and K. Zhang,“Side-channel leaks in web applications: areality today, a challenge tomorrow,” in Proc.IEEE Symposium on Security and Privacy,2010, pp. 191–206.

[9] T. H. Cormen, C. E. Leiserson, R. L. Rivest,and C. Stein, Introduction to Algorithms,2nd ed. Cambridge, MA: MIT Press, 2001.

[10] I. Damgard, S. Meldgaard, and J. B. Nielsen,“Perfectly secure oblivious RAM withoutrandom oracles,” Cryptology ePrint Archive,Report 2010/108, 2010, http://eprint.iacr.org/.

11

[11] Y. Dodis and P. Puniya, “Getting the best outof existing hash functions; or what if we arestuck with SHA?” in Applied Cryptography andNetwork Security (ACNS), 2008, pp. 156–173.

[12] O. Goldreich, S. Micali, and A. Wigderson,“How to play ANY mental game,” in Proc.ACM Symposium on Theory of Computing(STOC). New York, NY, USA: ACM, 1987,pp. 218–229.

[13] O. Goldreich and R. Ostrovsky, “Softwareprotection and simulation on oblivious RAMs,”J. ACM, vol. 43, no. 3, pp. 431–473, 1996.

[14] M. T. Goodrich and R. Tamassia, AlgorithmDesign: Foundations, Analysis, and InternetExamples. New York, NY: John Wiley &Sons, 2002.

[15] M. T. Goodrich, “Randomized Shellsort: Asimple oblivious sorting algorithm,” in Proc.ACM-SIAM Symposium on Discrete Algorithms(SODA). SIAM, 2010, pp. 1–16.

[16] M. T. Goodrich and M. Mitzenmacher,“Privacy-preserving access of outsourced datavia oblivious RAM simulation,” in Proceedingsof ICALP, 2011, to appear.

[17] A. Kirsch, M. Mitzenmacher, and U. Wieder,“More robust hashing: cuckoo hashing with astash,” SIAM J. Comput., vol. 39, pp.1543–1561, 2009.

[18] J. Kleinberg and E. Tardos, Algorithm Design.Boston, MA, USA: Addison-Wesley, Inc., 2005.

[19] D. E. Knuth, Sorting and Searching, ser. TheArt of Computer Programming. Reading,MA: Addison-Wesley, 1973, vol. 3.

[20] F. T. Leighton, Introduction to ParallelAlgorithms and Architectures: Arrays, Trees,Hypercubes. San Mateo, CA:Morgan-Kaufmann, 1992.

[21] T. Leighton and C. G. Plaxton, “Hypercubicsorting networks,” SIAM J. Comput., vol. 27,no. 1, pp. 1–47, 1998.

[22] M. Mitzenmacher, “Some open questionsrelated to cuckoo hashing,” in Proc. EuropeanSymposium on Algorithms (ESA), 2009, pp.1–10.

[23] M. Mitzenmacher and E. Upfal, Probability andComputing: Randomized Algorithms and

Probabilistic Analysis. New York, NY, USA:Cambridge University Press, 2005.

[24] R. Pagh and F. Rodler, “Cuckoo hashing,”Journal of Algorithms, vol. 52, pp. 122–144,2004.

[25] M. Paterson, “Improved sorting networks withO(logN) depth,” Algorithmica, vol. 5, no. 1,pp. 75–92, 1990.

[26] B. Pinkas and T. Reinman, “Oblivious RAMrevisited,” in Advances in Cryptology(CRYPTO), ser. Lecture Notes in ComputerScience, T. Rabin, Ed. Springer, 2010, vol.6223, pp. 502–519.

[27] N. Pippenger and M. J. Fischer, “Relationsamong complexity measures,” J. ACM, vol. 26,no. 2, pp. 361–381, 1979.

[28] V. R. Pratt, “Shellsort and sorting networks,”Ph.D. dissertation, Stanford University,Stanford, CA, USA, 1972.

[29] J. Seiferas, “Sorting networks of logarithmicdepth, further simplified,” Algorithmica,vol. 53, no. 3, pp. 374–384, 2009.

[30] G. Wang, T. Luo, M. T. Goodrich, W. Du, andZ. Zhu, “Bureaucratic protocols for securetwo-party sorting, selection, and permuting,” inProc. ACM Symposium on Information,Computer and Communications Security(ASIACCS). New York, NY, USA: ACM,2010, pp. 226–237.

[31] P. Williams and R. Sion, “Usable PIR,” inNDSS. The Internet Society, 2008.

[32] P. Williams, R. Sion, and B. Carbunar,“Building castles out of mud: practical accesspattern privacy and correctness on untrustedstorage,” in Proc. ACM Conference onComputer and Communications Security(CCS). New York, NY, USA: ACM, 2008, pp.139–148.

12