Paper 2021/593

Differentially Oblivious Database Joins: Overcoming the Worst-Case Curse of Fully Oblivious Algorithms

Shumo Chu, Danyang Zhuo, Elaine Shi, and T-H. Hubert Chan

Abstract

Numerous high-profile works have shown that access patterns to even encrypted databases can leak secret information and sometimes even lead to reconstruction of the entire database. To thwart access pattern leakage, the literature has focused on {\it oblivious} algorithms, where obliviousness requires that the access patterns leak nothing about the input data. In this paper, we consider the {\tt Join} operator, an important database primitive that has been extensively studied and optimized. Unfortunately, any {\it fully oblivious} {\tt Join} algorithm would require {\it always} padding the result to the {\it worst-case} length which is {\it quadratic} in the data size $N$. In comparison, an insecure baseline incurs only $O(R + N)$ cost where $R$ is the true result length, and in the common case in practice, $R$ is relatively short. As a typical example, when $R = O(N)$, any fully oblivious algorithm must inherently incur a prohibitive, $N$-fold slowdown relative to the insecure baseline. Indeed, the (non-private) database and algorithms literature invariably focuses on studying the {\it instance-specific} rather than {\it worst-case} performance of database algorithms. Unfortunately, the stringent notion of full obliviousness precludes the design of efficient algorithms with non-trivial instance-specific performance. To overcome this worst-case performance barrier of full obliviousness and enable algorithms with good instance-specific performance, we consider a relaxed notion of access pattern privacy called $(\epsilon, \delta)$-differential obliviousness (DO), originally proposed in the seminal work of Chan et al. (SODA'19). Rather than insisting that the access patterns leak no information whatsoever, the relaxed DO notion requires that the access patterns satisfy $(\epsilon, \delta)$-differential privacy. We show that by adopting the relaxed DO notion, we can obtain efficient database {\tt Join} mechanisms whose instance-specific performance {\it approximately matches} the insecure baseline, while still offering a meaningful notion of privacy to individual users. Complementing our upper bound results, we also prove new lower bounds regarding the performance of any DO {\tt Join} algorithm. Differential obliviousness (DO) is a new notion and is a relatively unexplored territory. Following the pioneering investigations by Chan et al. and others, our work is among the very first to formally explore how DO can help overcome the worst-case performance curse of full obliviousness; moreover, we motivate our work with database applications. Our work shows new evidence why DO might be a promising notion, and opens up several exciting future directions.

Note: This is the online full version containing formal algorithm description and detailed proofs.