Abstract
When scaling a distributed ORAM to a two-party secure computation, the overhead is dominated by the number of pseudo-random generator (PRG) calls in generation and evaluation of a distributed point function (DPF), which are O(logn) and O(n) respectively, where n is the number of data blocks. We propose a distributed ORAM scheme, in which the PRG calls are reduced to O(log(zn/λ)) for generation and O(2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">log(zn/λ)</sup> ) for evaluation, where λ is the secure parameter and z is the length of outputs in DPF. Technically, we first extend the optimization of Function Secret Sharing (FSS), early termination for functions with small output groups, to the context of ORAM for secure computation. Then, we design a scheme named etoram to exploit the high efficiency achieved by early termination. In etoram, we introduce an access counter for each data block. Then, instead of {0,1} <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">λ</sup> , the output of the point function becomes the maximum value of these counters, i.e.,{0,1} <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">z</sup> . Data blocks are privately updated by masking random strings generated by their counters. In practice, according to different access rates, z ranges from 1 to logn in sequential mode and from 3 to logn in random mode if the total number of accesses is n.
Highlights
When Oblivious RAM (ORAM) is applied in secure computation, the functions in the ORAM client are represented as a circuit, and the circuit size becomes the bottleneck of performance
It relies on the maximum of the access counter among all the data blocks, which is determined by the access rates, the total number of accesses N, and the access modes
A worst case is that the access rate of one of the data block is 1, and the maximum access counter equals the total number of accesses
Summary
In a two server scenario, each server possesses a database. If the two servers want to know the intersection of the two databases without revealing their own databases to the other, a two-party secure computation protocol is required. Substantial improvements on the efficiency of ORAM while scaling to secure computation have been carried out These previous works are all in the context of a single-server setting, which suffer from two drawbacks, a costly initialization and a large memory. Gordon et al [31] propose an ORAM scheme for the outsourced applications in a two-server setting, in which the position map depends on a pseudo-random function by taking the logical addresses as inputs As it can be recomputed when being required, no storage of position map is needed. The initialization is a linear-time method and requires no secure computation It stores each data block at the physical address corresponding to its logical index, and the storage of position map is saved. Instead of wire labels, the shares of data blocks are stored, which reduces the memory size to a small constant
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.