Paper 2018/423

Yes, There is an Oblivious RAM Lower Bound!

Kasper Green Larsen and Jesper Buus Nielsen

Abstract

An Oblivious RAM (ORAM) introduced by Goldreich and Ostrovsky [JACM'96] is a (possibly randomized) RAM, for which the memory access pattern reveals no information about the operations performed. The main performance metric of an ORAM is the bandwidth overhead, i.e., the multiplicative factor extra memory blocks that must be accessed to hide the operation sequence. In their seminal paper introducing the ORAM, Goldreich and Ostrovsky proved an amortized Ω(lgn) bandwidth overhead lower bound for ORAMs with memory size n. Their lower bound is very strong in the sense that it applies to the ``offline'' setting in which the ORAM knows the entire sequence of operations ahead of time. However, as pointed out by Boyle and Naor [ITCS'16] in the paper ``Is there an oblivious RAM lower bound?'', there are two caveats with the lower bound of Goldreich and Ostrovsky: (1) it only applies to ``balls in bins'' algorithms, i.e., algorithms where the ORAM may only shuffle blocks around and not apply any sophisticated encoding of the data, and (2), it only applies to statistically secure constructions. Boyle and Naor showed that removing the ``balls in bins'' assumption would result in super linear lower bounds for sorting circuits, a long standing open problem in circuit complexity. As a way to circumventing this barrier, they also proposed a notion of an ``online'' ORAM, which is an ORAM that remains secure even if the operations arrive in an online manner. They argued that most known ORAM constructions work in the online setting as well. Our contribution is an lower bound on the bandwidth overhead of any online ORAM, even if we require only computational security and allow arbitrary representations of data, thus greatly strengthening the lower bound of Goldreich and Ostrovsky in the online setting. Our lower bound applies to ORAMs with memory size and any word size . The bound therefore asymptotically matches the known upper bounds when .

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published by the IACR in CRYPTO 2018
Keywords
oblivious RAMlower bound
Contact author(s)
jbn @ cs au dk
History
2018-05-29: last of 5 revisions
2018-05-10: received
See all versions
Short URL
https://ia.cr/2018/423
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2018/423,
      author = {Kasper Green Larsen and Jesper Buus Nielsen},
      title = {Yes, There is an Oblivious {RAM} Lower Bound!},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/423},
      year = {2018},
      url = {https://eprint.iacr.org/2018/423}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.