Cryptology ePrint Archive: Report 2020/1195

A Lower Bound for One-Round Oblivious RAM

David Cash and Andrew Drucker and Alexander Hoover

Abstract: We initiate a fine-grained study of the round complexity of Oblivious RAM (ORAM). We prove that any one-round balls-in bins ORAM that does not duplicate balls must have either \Omega(\sqrt{N}) bandwidth or \Omega(\sqrt{N}) client memory, where N is the number of memory slots being simulated. This shows that such schemes are strictly weaker than general (multi-round) ORAMs or those with server computation, and in particular implies that a one-round version of the original square-root ORAM of Goldreich and Ostrovksy (J. ACM 1996) is optimal. We prove this bound via new techniques that differ from those of Goldreich and Ostrovksy, and of Larsen and Nielsen (CRYPTO 2018), which achieved an \Omega(\log N) bound for balls-in-bins and general multi-round ORAMs respectively. Finally we give a weaker extension of our bound that allows for limited duplication of balls, and also show that our bound extends to multiple-round ORAMs of a restricted form that include the best known constructions.

Category / Keywords: cryptographic protocols / oram, lower bound, round complexity

Original Publication (with minor differences): IACR-TCC-2020

Date: received 30 Sep 2020

Contact author: davidcash at uchicago edu,alexhoover@uchicago edu

Available format(s): PDF | BibTeX Citation

Version: 20201006:093131 (All versions of this report)

Short URL: ia.cr/2020/1195


[ Cryptology ePrint archive ]