Christopher W. Fletcher
ABSTRACT
Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the Position Map (PosMap), a central component in modern ORAM algorithms. Implemented naively, the PosMap causes ORAM to be fundamentally unscalable in terms of on-chip area. On the other hand, a technique called Recursive ORAM fixes the area problem yet significantly increases ORAM's performance overhead.
To address this challenge, we propose three new mechanisms. We propose a new ORAM structure called the PosMap Lookaside Buffer (PLB) and PosMap compression techniques to reduce the performance overhead from Recursive ORAM empirically (the latter also improves the construction asymptotically). Through simulation, we show that these techniques reduce the memory bandwidth overhead needed to support recursion by 95%, reduce overall ORAM bandwidth by 37% and improve overall SPEC benchmark performance by 1.27x. We then show how our PosMap compression techniques further facilitate an extremely efficient integrity verification scheme for ORAM which we call PosMap MAC (PMMAC). For a practical parameterization, PMMAC reduces the amount of hashing needed for integrity checking by >= 68x relative to prior schemes and introduces only 7% performance overhead.
We prototype our mechanisms in hardware and report area and clock frequency for a complete ORAM design post-synthesis and post-layout using an ASIC flow in a 32~nm commercial process. With 2 DRAM channels, the design post-layout runs at 1~GHz and has a total area of .47~mm2. Depending on PLB-specific parameters, the PLB accounts for 10% to 26% area. PMMAC costs 12% of total design area. Our work is the first to prototype Recursive ORAM or ORAM with any integrity scheme in hardware.
- Open cores. http://opencores.org/.Google Scholar
- D. Apon, J. Katz, E. Shi, and A. Thiruvengadam. Verifiable oblivious storage. In PKC. 2014.Google ScholarDigital Library
- M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In CRYPTO, 1996. Google ScholarDigital Library
- D. Boneh, D. Mazieres, and R. A. Popa. Remote oblivious storage: Making oblivious RAM practical. Manuscript, http://dspace.mit.edu/bitstream/handle/1721.1/62006/MIT-CSAIL-TR-2011-0%18.pdf, 2011.Google Scholar
- I. Damgård, S. Meldgaard, and J. B. Nielsen. Perfectly secure oblivious RAM without random oracles. In TCC, 2011.Google ScholarCross Ref
- C. Fletcher, L. Ren, X. Yu, M. Van Dijk, O. Khan, and S. Devadas. Suppressing the oblivious ram timing channel while making information leakage and program efficiency trade-offs. In HPCA, 2014.Google ScholarCross Ref
- C. Fletcher, M. van Dijk, and S. Devadas. Secure Processor Architecture for Encrypted Computation on Untrusted Programs. In STC, 2012. Google ScholarDigital Library
- C. Gentry, K. A. Goldman, S. Halevi, C. S. Jutla, M. Raykova, and D. Wichs. Optimizing oram and using it efficiently for secure computation. In PET, 2013.Google Scholar
- O. Goldreich. Towards a theory of software protection and simulation on oblivious rams. In STOC, 1987. Google ScholarDigital Library
- O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. Journal of the ACM, 1986. Google ScholarDigital Library
- O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious rams. In Journal of the ACM, 1996. Google ScholarDigital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Oblivious ram simulation with efficient worst-case access overhead. In CCSW, New York, NY, 2011. Google ScholarDigital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Practical oblivious storage. In CODASPY, New York, NY, 2012. Google ScholarDigital Library
- M. T. Goodrich, M. Mitzenmacher, O. Ohrimenko, and R. Tamassia. Privacy-preserving group data access via stateless oblivious RAM simulation. In SODA, 2012. Google ScholarDigital Library
- J. L. Henning. Spec cpu2006 benchmark descriptions. Computer Architecture News, 2006. Google ScholarDigital Library
- M. Islam, M. Kuzu, and M. Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In NDSS, 2012.Google Scholar
- H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is ssl?). In CRYPTO, 2001. Google ScholarDigital Library
- E. Kushilevitz, S. Lu, and R. Ostrovsky. On the (in) security of hash-based oblivious ram and a new balancing scheme. In SODA, 2012. Google ScholarDigital Library
- H. Lipmaa, P. Rogaway, and D. Wagner. Comments to NIST concerning AES-modes of operations: CTR-mode encryption. In Symmetric Key Block Cipher Modes of Operation Workshop, 2000.Google Scholar
- C. Liu, M. Hicks, and E. Shi. Memory trace oblivious program execution. In CSF, 2013. Google ScholarDigital Library
- M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, and D. Song. Phantom: Practical oblivious computation in a secure processor. In CCS, 2013. Google ScholarDigital Library
- J. E. Miller, H. Kasture, G. Kurian, C. G. III, N. Beckmann, C. Celio, J. Eastep, and A. Agarwal. Graphite: A Distributed Parallel Simulator for Multicores. In HPCA, 2010.Google ScholarCross Ref
- R. Ostrovsky. Efficient computation on oblivious rams. In STOC, 1990. Google ScholarDigital Library
- R. Ostrovsky and V. Shoup. Private information storage (extended abstract). In STOC, 1997. Google ScholarDigital Library
- L. Ren, C. Fletcher, X. Yu, M. van Dijk, and S. Devadas. Integrity verification for path oblivious-ram. In HPCA, 2013.Google ScholarCross Ref
- L. Ren, X. Yu, C. Fletcher, M. van Dijk, and S. Devadas. Design space exploration and optimization of path oblivious ram in secure processors. In ISCA, 2013. Google ScholarDigital Library
- B. Rogers, S. Chhabra, M. Prvulovic, and Y. Solihin. Using address independent seed encryption and bonsai merkle trees to make secure processors os- and performance-friendly. In MICRO, 2007. Google ScholarDigital Library
- P. Rosenfeld, E. Cooper-Balis, and B. Jacob. Dramsim2: A cycle accurate memory system simulator. Computer Architecture Letters, 2011. Google ScholarDigital Library
- L. F. G. Sarmenta, M. van Dijk, C. W. O'Donnell, J. Rhodes, and S. Devadas. Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS. In STC, 2006. Google ScholarDigital Library
- E. Shi, T.-H. H. Chan, E. Stefanov, and M. Li. Oblivious ram with o((log n)^3) worst-case cost. In Asiacrypt, 2011. Google ScholarDigital Library
- E. Stefanov and E. Shi. Oblivistore: High performance oblivious cloud storage. In S&P, 2013. Google ScholarDigital Library
- E. Stefanov, E. Shi, and D. Song. Towards practical oblivious RAM. In NDSS, 2012.Google Scholar
- E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas. Path oram: An extremely simple oblivious ram protocol. volume abs/1202.5150, 2012.Google Scholar
- E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas. Path oram: An extremely simple oblivious ram protocol. In CCS, 2013. Google ScholarDigital Library
- X. Wang, K. Nayak, C. Liu, E. Shi, E. Stefanov, and Y. Huang. Oblivious data structures. IACR, 2014.Google ScholarDigital Library
- P. Williams and R. Sion. Single round access privacy on outsourced storage. In CCS, 2012. Google ScholarDigital Library
- C. Yan, D. Englender, M. Prvulovic, B. Rogers, and Y. Solihin. Improving cost, performance, and security of memory encryption and authentication. Computer Architecture News, 2006. Google ScholarDigital Library
- X. Yu, C. W. Fletcher, L. Ren, M. van Dijk, and S. Devadas. Generalized external interaction with tamper-resistant hardware with bounded information leakage. In CCSW, 2013. Google ScholarDigital Library
- X. Zhuang, T. Zhang, and S. Pande. HIDE: an infrastructure for efficiently protecting information leakage on the address bus. In ASPLOS, 2004. Google ScholarDigital Library
Index Terms
- Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM
Recommendations
Path ORAM: An Extremely Simple Oblivious RAM Protocol
Distributed Computing, Cryptography, Distributed Computing, Cryptography, Coding Theory, Automata Theory, Complexity Theory, Programming Languages, Algorithms, Invited Paper Foreword and DatabasesWe present Path ORAM, an extremely simple Oblivious RAM protocol with a small amount of client storage. Partly due to its simplicity, Path ORAM is the most practical ORAM scheme known to date with small client storage. We formally prove that Path ORAM ...
Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM
ASPLOS'15Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the ...
Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM
ASPLOS '15Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the ...
Comments