Accesses to data stored remotely create a side channel that is known to leak information even if the content is encrypted. Oblivious RAM is a cryptographic primitive that provides confidentiality of access patterns in remote storage settings. To outsource a database of $n$ blocks of $B$ bits, traditional solutions restrict the client to $\mathcal{O}(B)$ bits of private memory. A class of solutions, known as Hierarchical ORAM, has achieved theoretically optimal bandwidth performance in this setting. Hierarchical ORAM distributes data blocks at the server across a hierarchy of hash tables, with the most recently accessed blocks in the lower levels of the hierarchy. Locating a block in the hierarchy requires a large number of round-trips of communication, with the server, per virtual access. Furthermore, rebuilding the hierarchy incurs a large concrete bandwidth overhead. Thus, Hierarchical ORAMs are seen as theoretical artefacts and have not been deployed in practice. For many applications, such as cloud storage, the client can afford a larger, $\omega(B)$-bit, private memory allocation. With this premise, we introduce Rank ORAM, the first practical Hierarchical ORAM that takes advantage of a larger client. We construct a compact client-side data structure that keeps track of how recently data blocks have been accessed. Leveraging this information, Rank ORAM reduces both the number of round-trips of communication and the concrete bandwidth overhead of Hierarchical ORAM. In addition, Rank ORAM achieves a smaller client memory allocation than existing (non-Hierarchical) state-of-the-art practical ORAM schemes while maintaining comparable bandwidth performance. Our experiments on real network file-system traces demonstrate a reduction in client memory, against existing approaches, of a factor of $100$.
翻译:远程存储的数据访问权创建了一个已知的侧端通道, 即使内容是加密的, 也会泄漏信息。 明显的 RAM 是一个加密原始的加密系统, 提供了远程存储设置中访问模式的保密性。 要将一个以美元为单位的数据库外包为$B比特, 传统的解决方案将客户端限制在$mathcal{O}(B) 美元私人记忆的位数。 一种被称为等级式 ORAM 的解决方案已经在这个环境中实现了理论上最佳的带宽性能。 等级式 ORAM 在服务器上散布数据, 包括一个高层次的hash表格, 以及最近进入的低层次的 。 在结构中, 将一个大层次的 $\ omga(B), 私人存储器的区块进行保密 。 我们引入了一个大层次的 ORAM 的用户端值, 正在构建一个实际的 ORAM 数据端数 。 高层次的 ORAM 的用户端数, 和 真正的客户端的内层的内存的内存数据端的内存系统 。 我们的内存的内存的内存的内存的内存的内存的内存的内存的内存的内, 都有一个更大的内存的内存的内存的内存的内存的内存的内存的内存。