Path oram
Download as PPTX, PDF4 likes2,413 views
Path ORAM is a practical Oblivious RAM construction that allows a client to retrieve or update encrypted data on a server without revealing the access pattern. It uses a binary tree structure where blocks are randomly assigned positions and must reside on the path to their position. The client maintains a position map and stash, while the server stores an encrypted binary tree. Access operations read the entire path, update the position map, and write the new path back to obliviously maintain the structure's invariants. Path ORAM achieves logarithmic bandwidth overhead, making it more efficient than previous ORAM schemes.
![Path ORAM
10 6
2 58
714 9 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 2 2 1 1 4 3 2 1
Example: A user wants to modify block “7”
Note:
the blocks on the tree are encrypted
4. Assign a new random position.
Position[block 7] = UniformRandom(1, 2, 3, 4)
here = 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1](https://image.slidesharecdn.com/pathoram-160721180944/85/Path-oram-32-320.jpg)
Path oram
- 1. An Extremely Simple ORAM Protocol – Path ORAM Published by Stefanov, Emil, et al. Presented by Shijie Zhang
- 2. Cloud storage SkyDrive Windows Azure Storage Amazon S3, EBS Dropbox EMC Atmos Mozy iCloud Google Storage
- 3. Cloud storage SkyDrive Windows Azure Storage Amazon S3, EBS Dropbox EMC Atmos Mozy iCloud Google Storage Can we TRUST the cloud? Not completely
- 4. Cloud storage Sensitive documents should be encrypted User Server Files Encrypted Files
- 5. Search on Cloud storage What if users need to search on encrypted documents? e.g. documents containing keyword “urgent”
- 6. Searchable Encryption Searchable encryption schemes are proposed User Server Files Encrypted Files + Index (contains trapdoors only known by user)
- 7. Searchable Encryption Searchable encryption schemes proposed User Server Search for documents containing keyword e.g. “urgent”
- 8. Searchable Encryption Searchable encryption schemes proposed User Server Search for documents containing keyword e.g. “urgent” Trapdoor function (“urgent”)
- 9. Searchable Encryption Searchable encryption schemes proposed User Server Search for documents containing keyword e.g. “urgent” Trapdoor function (“urgent”) Trapdoor function (“urgent”) + Index
- 10. Searchable Encryption Searchable encryption schemes proposed User Server Search for documents containing keyword e.g. “urgent” Trapdoor function (“urgent”) Trapdoor function (“urgent”) + Index Requested encrypted documents
- 11. Information leaked ??? Most previous research works • Do not leaked Encrypted documents • Do not leaked Searched keywords However, most previous research works • leaked access pattern
- 12. Access Pattern Leaked Access Pattern leaked: • Which data is being accessed • When the data was last accessed • Whether the same data is being accessed • Access randomly or sequentially • Whether the access is a read or write What could be done with access pattern ?
- 13. Client Buy IBM Buy EMC ?Buy IBM Access patterns leak: 80% of search queries to encrypted database (Islam et. al) ?Buy IBM Server Search queries Example Attack ?Buy PC
- 14. Example Attack
- 15. Oblivious RAM • Search over encrypted data without revealing access pattern • Impractical O(N) bandwidth overhead
- 16. Path ORAM • Most practical ORAM construction to date • High efficiency and low overhead Asymptotic breakthrough for large blocks Instantiation Client Storage Bandwidth Without Recursion 𝑶 𝑵 𝑶 𝐥𝐨𝐠 𝑵 With Recursion ~ 𝑶 𝐥𝐨𝐠 𝑵 𝟐 𝐥𝐨𝐠 𝐗 𝑶 𝐥𝐨𝐠 𝑵 𝟐 𝐥𝐨𝐠 𝐗
- 17. Path ORAM • Server storage binary map • Client storage position map, stash
- 18. Path ORAM nodes can contain multiple blocks some nodes are empty Server: data blocks stored in nodes of the tree bucket block Block # data
- 19. Path ORAM 1 2 3 4 5 6 7 8 “Position” comes from the leaf sequence number.
- 20. Path ORAM 1 2 3 4 5 6 7 8 A block must be placed on the path to its “position” If a BLOCK’s position is 5, it can only be in the this path
- 21. Path ORAM 1 2 3 4 5 6 7 8 A block must be placed on the path to its “position” If a BLOCK’s position is 1, it can only be in the this path
- 22. Path ORAM 1 2 3 4 5 6 7 8 Blocks’ position are chosen randomly from 1 to 2^L(number of leaves). Some nodes(buckets) have multiple blocks while some are empty.
- 23. Path ORAM Client storage: position map & stash position map: to store each block’s “position” (assume there are N blocks in the tree) Block # Block’s “position” 1 2 … … …. …. N-1 N 5 4 … … …. …. 1 7
- 24. Path ORAM position map: to store each block’s “position” (assume there are N blocks in the tree) Block # Block’s “position” 1 2 … … …. …. 13 14 2 4 1 1 10 6 2 58 714 9 1 13 3 12 4 11 1 2 3 4 Client storage: position map & stash
- 25. Path ORAM Stash: 1. block cash 2. to store blocks overflowed from the server Client storage: position map & stash one block
- 27. Path ORAM An example for access (op, a, data) Example: A user wants to modify block “7”
- 28. Path ORAM 10 6 2 5 714 1 13 3 12 4 11 1 2 3 4 Server Client stash position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 2 2 1 1 4 3 2 1 Example: A user wants to modify block “7” 8 9
- 29. Path ORAM 10 6 2 5 714 9 1 13 3 12 4 11 1 2 3 4 Server Client stash position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 2 2 1 1 4 3 2 1 Example: A user wants to modify block “7” 1. Lookup block’s position 8 9
- 30. Path ORAM 10 6 2 5 714 1 13 3 12 4 11 1 2 3 4 Server Client stash position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 2 2 1 1 4 3 2 1 Example: A user wants to modify block “7” 2. Read the entire path 8 9 71 13 10 6 71 13 10 6 decrypt
- 31. Path ORAM 10 6 2 5 714 1 13 3 12 4 11 1 2 3 4 Server Client stash position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 2 2 1 1 4 3 2 1 Example: A user wants to modify block “7” 8 9 71 13 10 6 1 13 10 6 decrypt 7 3. Client can now read/modify data in block
- 32. Path ORAM 10 6 2 58 714 9 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 2 2 1 1 4 3 2 1 Example: A user wants to modify block “7” Note: the blocks on the tree are encrypted 4. Assign a new random position. Position[block 7] = UniformRandom(1, 2, 3, 4) here = 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1
- 33. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client Note: the blocks on the tree are encrypted 5. Write path back 7 Principles: A. Blocks should be pushed down as deep as possible B. Blocks should always be on the path to its position
- 34. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back. Principle A: Push blocks as deep as possible stash 8 9 1 13 10 67 Try the deepest possible node first
- 35. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back. Principle A: Push blocks as deep as possible stash 8 9 1 13 10 67 If full, try the upper level
- 36. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back. Principle A: Push blocks as deep as possible stash 8 9 1 13 10 67 If full, try the upper level
- 37. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back. Principle A: Push blocks as deep as possible stash 8 9 1 13 10 67 If root is full, store in the stash
- 38. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back Principle B: The block should always be on its path to “position” stash 8 9 1 13 10 67 2 1 2 1 2 1 1“positions” 7
- 39. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back Block 8, 1, 13 can end up at any buckets on the entire path Principle B: The block should always be on its path to “position” stash 8 9 1 13 10 67 2 1 2 1 2 1 1 7
- 40. Path ORAM 10 6 2 5 14 1 13 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back Block 9, 7, 10, 6 can only end up at these buckets Principle B: The block should always be on its path to “position” stash 8 9 1 13 10 67 2 1 2 1 2 1 1 7
- 41. Path ORAM 2 5 14 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back stash 8 9 1 13 10 67 2 1 2 1 2 1 1 3 2 1 Get back to our example:
- 42. Path ORAM 2 5 14 8 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back stash 8 9 1 13 10 67 2 1 2 1 2 1 1 3 2 1 13
- 43. Path ORAM 2 51 14 8 7 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back stash 8 9 1 13 10 67 2 1 2 1 2 1 1 3 2 1 13
- 44. Path ORAM 9 6 2 51 14 8 7 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back stash 8 9 1 13 10 67 2 1 2 1 2 1 1 3 2 1 13
- 45. Path ORAM 9 6 2 51 14 8 7 3 12 4 11 1 2 3 4 Server Client position map 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 4 3 4 3 1 1 2 1 1 4 3 2 1 Note: the blocks on the tree are encrypted 5. Write path back stash 10 3 2 1 13
- 46. Client storage Position map: • Log N bits per block • Totally N log N bits Too much !!!
- 47. Recursion • Store the position map in another ORAM. • Do this recursively. Server Client … … O-RAM #1 O-RAM #2: Position Map for O-RAM #1 O-RAM #3: Position Map for O-RAM #2
- 48. Security• Security Definition: Given two access sequences, Computational indistinguishable by anyone but the user • Server only observes a single random number on access to each block Each access number is random not computational distinguishable by anyone but the user
- 49. Security - example Server Client stashposition map Suppose client accesses blocks 1, 2, 3, 4.5 0 1 2 3 4 5 6 7positions: 1 6 4 Server observes: 5, 1, 6, 4 Client looks up in position map. 5 1 6 4 equally likely If client instead accesses: 46, 49, 53, 60 the two access patterns are indistinguishable
- 50. Proof for Bounds on Stash Usage Target: the probability for stash overflow is low Equivalent to: Find a subtree in ORAM binary tree that after a sequences of access “s”, the number of Remaining blocks are bigger than n(T)Z+R
- 51. References 1. Path ORAM, Emil, S., et al. slides and papers, 2012 2. Access Pattern Disclosure on Searchable Encryption. Mohammad, S. et al. , 2006