Hierarchical ORAM Revisited, and Applications to Asymptotically Efficient ORAM and OPRAM. Hubert Chan, Yue Guo, Wei-Kai Lin, Elaine Shi 2017/12/5

Similar documents
2 When Some or All Labels are Missing: The EM Algorithm

Transposition Table, History Heuristic, and other Search Enhancements

Non-Interactive Secure Computation Based on Cut-and-Choose

Design Strategies for ARX with Provable Bounds: SPARX and LAX

knn & Naïve Bayes Hongning Wang

Modelling and Simulation of Environmental Disturbances

Mixture Models & EM. Nicholas Ruozzi University of Texas at Dallas. based on the slides of Vibhav Gogate

Accounting for the Evolution of U.S. Wage Inequality

DESIGN AND ANALYSIS OF ALGORITHMS (DAA 2017)

6/16/2010 DAG Execu>on Model, Work and Depth 1 DAG EXECUTION MODEL, WORK AND DEPTH

SEARCH TREE. Generating the children of a node

Instructors: Randy H. Katz David A. PaGerson hgp://inst.eecs.berkeley.edu/~cs61c/fa10. Fall Lecture #39. Agenda

SEARCH SEARCH TREE. Node: State in state tree. Root node: Top of state tree

1.1 The size of the search space Modeling the problem Change over time Constraints... 21

Analysis and realization of synchronized swimming in URWPGSim2D

Prediction Market and Parimutuel Mechanism

AN ISOLATED SMALL WIND TURBINE EMULATOR

GOLOMB Compression Technique For FPGA Configuration

Paul Burkhardt. May 19, 2016

Uninformed Search (Ch )

AccuRAID iscsi Auto-Tiering Best Practice

Uninformed search methods

A new take at Adaptive Fast Multipole Methods: application, implementation, and hybrid CPU/GPU parallelism

A Novel Decode-Aware Compression Technique for Improved Compression and Decompression

Stat 139 Homework 3 Solutions, Spring 2015

Uninformed Search (Ch )

A Study on Algorithm for Compression and Decompression of Embedded Codes using Xilinx

Efficient I/O for Computational Grid Applications

Instruction Cache Compression for Embedded Systems by Yujia Jin and Rong Chen

Introduction to Parallelism in CASTEP

Reducing Code Size with Run-time Decompression

Ocean Fishing Fleet Scheduling Path Optimization Model Research. Based On Improved Ant Colony Algorithm

Problem Solving Agents

Diver Training Options

cudimot: A CUDA toolbox for modelling the brain tissue microstructure from diffusion-mri

Example: sequence data set wit two loci [simula

Cycle Analysis and Construction of Protographs for QC LDPC Codes With Girth Larger Than 12 ½

Algorithms and Data Structures

Computational Models: Class 6

ECE 697B (667) Spring 2003

The Constrained Ski-Rental Problem and its Application to Online Cloud Cost Optimization

Light Loss-Less Data Compression, With GPU Implementation

Estimating a Toronto Pedestrian Route Choice Model using Smartphone GPS Data. Gregory Lue

Urban OR: Quiz 2 Solutions (2003) ( 1 ρ 1 )( 1 ρ 1 ρ 2 ) ( 1 12 )( ) σ S ] 24 [ 2 = 60, 2 2 ] ( 2 ) 3

SUPERGEN Wind Wind Energy Technology Rogue Waves and their effects on Offshore Wind Foundations

Fast Software-managed Code Decompression

Queue analysis for the toll station of the Öresund fixed link. Pontus Matstoms *

Profile-driven Selective Code Compression

Bayesian Optimized Random Forest for Movement Classification with Smartphones

Bridge Decomposition of Restriction Measures Tom Alberts joint work with Hugo Duminil (ENS) with lots of help from Wendelin Werner University of

Inverting a Batting Average - an Application of Continued Fractions (Preliminary Version)

Provably Secure Camouflaging Strategy for IC Protection

Properties of waves. Definition:

Parsimonious Linear Fingerprinting for Time Series

MEMORY is one of the most constrained resources in an

On the convergence of fitting algorithms in computer vision

- 2 - Companion Web Site. Back Cover. Synopsis

Ch.5 Reliability System Modeling.

Evaluation of a High Performance Code Compression Method

Log2fs or how to achieve IO/s

Sample size for estimating the concentration of. organisms in ballast water

Numerical study of variable lung ventilation strategies

Delta Compressed and Deduplicated Storage Using Stream-Informed Locality

Table S1. Comparison between each data point and the posterior mean estimates, for each of

Fast Floating Point Compression on the Cell BE Processor

SIDDHARTH INSTITUTE OF ENGINEERING & TECHNOLOGY :: PUTTUR (AUTONOMOUS) Siddharth Nagar, Narayanavanam Road QUESTION BANK (DESCRIPTIVE)

Integrating Best of Breed Outage Management Systems with Mobile Data Systems. Abstract

Blocking time reduction for level crossings using the genetic algorithm

GRAPH COLORING ALGORITHMS FOR FAST EVALUATION OF CURTIS DECOMPOSITIONS

Support Vector Machines: Optimization of Decision Making. Christopher Katinas March 10, 2016

Efficient Minimization of Routing Cost in Delay Tolerant Networks

Compact Binaries with Code Compression in a Software Dynamic Translator

MEETPLANNER DESIGN DOCUMENT IDENTIFICATION OVERVIEW. Project Name: MeetPlanner. Project Manager: Peter Grabowski

AGA Swiss McMahon Pairing Protocol Standards

A 28nm SoC with a 1.2GHz 568nJ/ Prediction Sparse Deep-Neural-Network Engine with >0.1 Timing Error Rate Tolerance for IoT Applications

IA-64: Advanced Loads Speculative Loads Software Pipelining

MODELLING THE EFFECT OF HEALTH RISK PERCEPTION ON

Optimizing Cyclist Parking in a Closed System

Integration of human factors in pedestrian crossing choice models

Uninformed search methods

Modelling the distribution of first innings runs in T20 Cricket

ErratA. Ordinary Differential Equations: An Introduction to the Fundamentals 2014 Edition (August 30, 2015)

2.5. All games and sports have specific rules and regulations. There are rules about. Play Ball! Absolute Value Equations and Inequalities

Compression of FPGA Bitstreams Using Improved RLE Algorithm

COMPRESSORS WITH SIDE STREAM

1. What function relating the variables best describes this situation? 3. How high was the balloon 5 minutes before it was sighted?

Flyweight Pattern. Flyweight: Intent. Use sharing to support large numbers of fine-grained objects efficiently. CSIE Department, NTUT Chien-Hung Liu

Fishery Participation and Location Choice

Compact Binaries with Code Compression in a Software Dynamic Translator

Introduction to Interprocess Communication. Introduction to Interprocess Communication

Information Systems ISM 3011

Minimum Mean-Square Error (MMSE) and Linear MMSE (LMMSE) Estimation

Appendix for: Product Differentiation and Mergers in the Carbonated Soft Drink Industry

A Bailout Protocol for Mixed Criticality Systems

A Behavioral Theory. Teck H. Ho. & National University of Singapore. Joint Work with Noah Lim, Houston Juanjuan Zhang, MIT. July 2008 Teck H.

Spider Search: An Efficient and Non-Frontier-Based Real-Time Search Algorithm

A ligand conformation preorganization approach to construct a. copper-hexacarboxylate framework with a novel topology for

The Mobility and Safety of Walk-and-Ride Systems

Bulgarian Olympiad in Informatics: Excellence over a Long Period of Time

Homework: Turn in Tortoise & the Hare

Transcription:

Hierarchical ORAM Revisited, and Applications to Asymptotically Efficient ORAM and OPRAM Hubert Chan, Yue Guo, Wei-Kai Lin, Elaine Shi 2017/12/5

Random Access Machine, RAM Maybe the standard model of algorithms Memory / Server: N words, indexed by address Interface: Read / Write address CPU / Client: Constant num. of registers Hierarchical ORAM Revisited 2

Oblivious RAM (ORAM) Provable security [Goldreich and Ostrovsky] ORAM Read / Write address Addr 1 Addr 2 Addr 3. Hierarchical ORAM Revisited Simulator Addr 1 Addr 2 Addr 3. 3

Hierarchical ORAM Schemes (1) Bandwidth overhead: ORAM O N [Goldreich and Ostrovsky] Hierarchical ORAM Revisited 4

Hierarchical ORAM Schemes (2) Bandwidth overhead: ORAM O log 3 N [Goldreich and Ostrovsky] Hierarchical ORAM Revisited 5

Hierarchical ORAM Schemes (3) Bandwidth overhead: ORAM O log 2 N [Goodrich and Mitzenmacher] Hierarchical ORAM Revisited 6

Hierarchical ORAM Schemes (4) Bandwidth overhead: ORAM [Kushilevitz, Lu, and Ostrovsky] O log2 N log log N Hierarchical ORAM Revisited 7

Hierarchical ORAM Schemes (5) Bandwidth overhead: ORAM [Today] O log2 N Simple log log N Hierarchical ORAM Revisited 8

Warmup: Permute and Buffer [Goldreich and Ostrovsky] Hidden permutation π Memory π 1 π 3 π 2 Hierarchical ORAM Revisited 9

Warmup: Permute and Buffer [Goldreich and Ostrovsky] Hidden permutation π Memory π 1 π 3 π 2 π 3? Hierarchical ORAM Revisited 10

Warmup: Permute and Buffer [Goldreich and Ostrovsky] Buffer Scan Buffer Random addr. 3?3? 3? Memory random π 1 π 3 π 2 Hierarchical ORAM Revisited 11

Warmup: Permute and Buffer [Goldreich and Ostrovsky] Buffer New Permutation Memory Hierarchical ORAM Revisited 12

Warmup: Hash and Buffer [Goldreich and Ostrovsky] Buffer Bandwidth overhead: O N Build Lookup Hash Table Hierarchical ORAM Revisited 13

Hierarchical ORAM [Goldreich and Ostrovsky] Recursive buffer of next level Level 0 Level 1 Bandwidth overhead: O log 3 N Level 2 Level 3 Level 4 Hierarchical ORAM Revisited 14

Use Cuckoo Hash Faster hash table Level 0 Level 1 Level 2 Bandwidth overhead: O log 2 N [Goodrich and Mitzenmacher] Build: O log N per element Lookup: O(1) Level 3 Level 4 Hierarchical ORAM Revisited 15

Cuckoo Hash is Involved Especially make it oblivious [Goodrich and Mitzenmacher] Random bipartite graph Doob martingale Azuma s inequality Hierarchical ORAM Revisited 16

Cuckoo Hash is Involved Especially make it oblivious Topological info Hierarchical ORAM Revisited 17

Cuckoo Hash is Involved Especially make it oblivious Refine algorithm Var. martingale Var. Azume s ineq. [Goodrich and Mitzenmacher] Hierarchical ORAM Revisited 18

Use Cuckoo Hash Faster hash table [Goodrich and Mitzenmacher] Level 0 Level 1 Level 2 Build: O log N per element Lookup: O(1) Level 3 Level 4 Hierarchical ORAM Revisited 19

Re-parameterize Hierarchy Reduce num. levels Level 0 Each level μ = log N hash tables Level i, capacity μ i log μ N levels Bandwidth overhead: O [Kushilevitz, Lu, and Ostrovsky] log2 N log log N Level 1 Level 2 Hierarchical ORAM Revisited 20

Hash Table We Need Each Each level level μ μ = = log log 1 ε NNhash hash tables tables Cuckoo hash is an overkill! Level 0 Level 1 Build: O log N per element Lookup: O(log ε N) Level 2 Hierarchical ORAM Revisited 21

Recall: Balls-and-Bins (1-tier) Hash Table Standard hash table Oblivious: sort and scan Bucket size: Z words Not efficient enough Num. of buckets B Secure implementation [GO96] 1. Add hash values 2. Add dummy words 3. Sort by hash values using AKS 4. Mark duplicates 5. Sort by duplicates 6. Truncate 22

Two-Tier Hash Table Repeats standard hash twice Diff. B and Z Hierarchical ORAM Revisited 23

Parameters To store n elements, choose Z = 5 log ε λ B = n log ε λ ε 0.5, 1 is a constant Bucket size: Z words Num. of buckets B 24

Overflow Probability Theorem (1 st tier): If n 3 exp log ε N, then total overflow is at most k = 288B exp Z 6 Except with negl. prob. Theorem (2 nd tier): If n 3 exp log ε N, then no overflow Except with negl. prob. o n 1 α Chernoff bound Moment gen. func. Negative dep. 25

Simple Hierarchical ORAM Level 0 Each level μ = log 1 ε N hash tables Two-tier hash Build: O log N per element Lookup: O(log ε N) Bandwidth overhead: O log2 N log log N Level 1 Level 2 Hierarchical ORAM Revisited 26

Parallel: Oblivious PRAM Provable security [Boyle, Chung, and Pass] Read / Write address Addr 1 Addr 2 Addr 3. OPRAM OPRAM OPRAM Hierarchical ORAM Revisited Simulator Addr 1 Addr 2 Addr 3. 27

Improved OPRAM Level 0 Two-tier hash table is easy to parallelize Just sort and scan Previous result Work && parallel time: O log 3 N O log2 N log log N Level 1 Level 2 Hierarchical ORAM Revisited 28

Conclusions ORAM OPRAM Hierarchical ORAM Revisited 29

Followup: Cache-Efficiency Contiguous memory Hierarchical ORAM Revisited 30

Thank you! Questions? wklin@cs.cornell.edu Hierarchical ORAM Revisited 31

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback