# Oblivious RAM

An oblivious RAM (ORAM) simulator is a compiler that transforms algorithms in such a way that the resulting algorithms preserve the input-output behavior of the original algorithm but the distribution of memory access pattern of the transformed algorithm is independent of the memory access pattern of the original algorithm. The definition of ORAMs is motivated by the fact that an adversary can obtain nontrivial information about the execution of a program and the nature of the data that it is dealing with, just by observing the pattern in which various locations of memory are accessed during its execution. An adversary can get this information even if the data values are all encrypted. The definition suits equally well to the settings of protected programs running on unprotected shared memory as well as a client running a program on its system by accessing previously stored data on a remote server. The concept was formulated by Oded Goldreich in 1987.[1]

## Definition

A Turing machine (TM), the mathematical abstraction of a real computer (program), is said to be oblivious if for any two inputs of the same length, the motions of the tape heads remain the same. Pippenger and Fischer[2] proved that every TM with running time ${\displaystyle T(n)}$ can be made oblivious and that the running time of the oblivious TM is ${\displaystyle O(T(n)\log T(n))}$. A more realistic model of computation is the RAM model. In the RAM model of computation, there is a CPU that can execute the basic mathematical, logical and control instructions. The CPU is also associated with a few registers and a physical random access memory, where it stores the operands of its instructions. The CPU in addition has instructions to read the contents of a memory cell and write a specific value to a memory cell. The definition of ORAMs capture a similar notion of obliviousness memory accesses in this model.

Informally, an ORAM is an algorithm at the interface of a protected CPU and the physical RAM such that it acts like a RAM to the CPU by querying the physical RAM for the CPU while hiding information about the actual memory access pattern of the CPU from the physical RAM. In other words, the distribution of memory accesses of two programs that make the same number of memory accesses to the RAM are indistinguishable from each other. This description will still make sense if the CPU is replaced by a client with a small storage and the physical RAM is replaced with a remote server with a large storage capacity, where the data of the client resides.

The following is a formal definition of ORAMs.[3] Let ${\displaystyle \Pi }$ denote a program requiring a memory of size ${\displaystyle n}$ when executing on an input ${\displaystyle x}$. Suppose that ${\displaystyle \Pi }$ has instructions for basic mathematical and control operations in addition to two special instructions ${\displaystyle {\mathsf {read}}(l)}$ and ${\displaystyle {\mathsf {write}}(l,v)}$, where ${\displaystyle {\mathsf {read}}(l)}$ reads the value at location ${\displaystyle l}$ and ${\displaystyle {\mathsf {write}}(l,v)}$ writes the value ${\displaystyle v}$ to ${\displaystyle l}$. The sequence of memory cell accessed by a program ${\displaystyle \Pi }$ during its execution is called its memory access pattern and is denoted by ${\displaystyle {\tilde {\Pi }}(n,x)}$.

A polynomial-time algorithm, ${\displaystyle C}$ is an Oblivious RAM (ORAM) compiler with computational overhead ${\displaystyle c(\cdot )}$ and memory overhead ${\displaystyle m(\cdot )}$, if ${\displaystyle C}$ given ${\displaystyle n\in N}$ and a deterministic RAM program ${\displaystyle \Pi }$ with memory-size ${\displaystyle n}$ outputs a program ${\displaystyle \Pi _{0}}$ with memory-size ${\displaystyle m(n)\cdot n}$ such that for any input ${\displaystyle x}$, the running-time of ${\displaystyle \Pi _{0}(n,x)}$ is bounded by ${\displaystyle c(n)\cdot T}$ where ${\displaystyle T}$ is the running-time of ${\displaystyle \Pi (n,x)}$, and there exists a negligible function ${\displaystyle \mu }$ such that the following properties hold:

• Correctness: For any ${\displaystyle n\in \mathbb {N} }$ and any string ${\displaystyle x\in \{0,1\}^{*}}$, with probability at least ${\displaystyle 1-\mu (n)}$, ${\displaystyle \Pi (n,x)=\Pi _{0}(n,x)}$.
• Obliviousness: For any two programs ${\displaystyle \Pi _{1},\Pi _{2}}$, any ${\displaystyle n\in \mathbb {N} }$ and any two inputs, ${\displaystyle x_{1},x_{2}\in \{0,1\}^{*}}$ if ${\displaystyle |{\tilde {\Pi }}_{1}(n,x_{1})|=|{\tilde {\Pi }}_{2}(n,x_{2})|}$, then ${\displaystyle {{\tilde {\Pi }}_{1}}'(n,x_{1})}$ is ${\displaystyle \mu }$-close to ${\displaystyle {{\tilde {\Pi }}_{2}}'(n,x_{2})}$ in statistical distance, where ${\displaystyle {\Pi _{1}}'=C(n,\Pi _{1})}$ and ${\displaystyle {\Pi _{2}}'=C(n,\Pi _{2})}$.

Note that the above definition uses the notion of statistical security. One can also have a similar definition for the notion of computational security.

## History of ORAMs

ORAMs were introduced by Goldreich and Ostrovsky[1][4][5] where in the key motivation was stated as software protection from an adversary who can observe the memory access pattern (but not the contents of the memory).

The main result in this work[5] is that there exists an ORAM compiler that uses ${\displaystyle O(n)}$ server space and incurs a running time overhead of ${\displaystyle 2^{O({\sqrt {\log n\log \log n}})}}$ when making a program that uses ${\displaystyle n}$ memory cells oblivious. This work initiated a series of works in the construction of oblivious RAMs that is going on till date. There are several attributes that need to be considered when we compare various ORAM constructions. The most important parameters of an ORAM construction are the amounts of client storage, the amount of server storage and the time overhead in making one memory access. Based on these attributes, the construction of Kushilevitz et al.[6] is the best known ORAM construction. It achieves ${\displaystyle O(1)}$ client storage, ${\displaystyle O(n)}$ server storage and ${\displaystyle o(\log ^{2}n)}$ access overhead.

Another important attribute of an ORAM construction is whether the access overhead is amortized or worst-case. Several of the earlier ORAM constructions have good amortized access overhead guarantees, but have ${\displaystyle \Omega (N)}$ worst-case access overheads. Some of the ORAM constructions with polylogarithmic worst-case computational overheads are.[6][7][8][9][10] The constructions of[1][4][5] were for the random oracle model, where the client assumes access to an oracle that behaves like a random function and returns consistent answers for repeated queries. They also noted that this oracle could be replaced by a pseudorandom function whose seed is a secret key stored by the client, if one assumes the existence of one-way functions. The papers[11][12] were aimed at removing this assumption completely. The authors of[12] also achieve an access overhead of ${\displaystyle O(\log ^{3}n)}$, which is just a log-factor away from the best known ORAM access overhead.

While most of the earlier works focus on proving security computationally, there are more recent works[3][8][11][12] that use the stronger statistical notion of security.

One of the only known lower bounds on the access overhead of ORAMs is due to Goldreich et al.[5] They show a ${\displaystyle \Omega (\log {n})}$ lower bound for ORAM access overhead, where ${\displaystyle n}$ is the data size. There is also a conditional lower bound on the access overhead of ORAMs due to Boyle et al.[13] that relates this quantity with that of the size of sorting networks.

## ORAM Constructions

### Trivial construction

A trivial ORAM simulator construction, for each read or write operation, reads from and writes to every single element in the array, only performing a meaningful action for the address specified in that single operation. The trivial solution thus, scans through the entire memory for each operation. This scheme incurs a time overhead of ${\displaystyle \Omega (n)}$ for each memory operation, where n is the size of the memory.

### A simple ORAM scheme

A simple version of a statistically secure ORAM compiler constructed by Chung and Pass[3] is described in the following along with an overview of the proof of its correctness. The compiler on input n and a program Π with its memory requirement n, outputs an equivalent oblivious program Π′.

If the input program Π uses r registers, the output program Π′ will need ${\displaystyle r+n/{\alpha }+{\text{poly}}\log {n}}$ registers, where ${\displaystyle \alpha >1}$ is a parameter of the construction. Π′ uses ${\displaystyle O(n{\text{ poly}}\log n)}$ memory and its (worst-case) access overhead is ${\displaystyle O({\text{poly}}\log n)}$.

The ORAM compiler is very simple to describe. Suppose that the original program Π has instructions for basic mathematical and control operations in addition to two special instructions ${\displaystyle {\mathsf {read}}(l)}$ and ${\displaystyle {\mathsf {write}}(l,v)}$, where ${\displaystyle {\mathsf {read}}(l)}$ reads the value at location l and ${\displaystyle {\mathsf {write}}(l,v)}$ writes the value v to l. The ORAM compiler, when constructing Π′, simply replaces each read and write instructions with subroutines Oread and Owrite and keeps the rest of the program the same. It may be noted that this construction can be made to work even for memory requests coming in an online fashion.

The ORAM compiler substitutes the read and write instructions in the original program with subroutines Oread and Owrite.

#### Memory organization of the oblivious program

The program Π′ stores a complete binary tree T of depth ${\displaystyle d=\log(n/\alpha )}$ in its memory. Each node in T is represented by a binary string of length at most d. The root is the empty string, denoted by λ. The left and right children of a node represented by the string ${\displaystyle \gamma }$ are ${\displaystyle \gamma _{0}}$ and ${\displaystyle \gamma _{1}}$ respectively. The program Π′ thinks of the memory of Π as being partitioned into blocks, where each block is a contiguous sequence of memory cells of size α. Thus, there are at most ${\displaystyle \lceil n/\alpha \rceil }$ blocks in total. In other words, the memory cell r corresponds to block ${\displaystyle b=\lfloor r/\alpha \rfloor }$.

At any point of time, there is an association between the blocks and the leaves in T. To keep track of this association, Π′ also stores a data structure called position map, denoted by ${\displaystyle Pos}$, using ${\displaystyle O(n/\alpha )}$ registers. This data structure, for each block b, stores the leaf of T associated with b in ${\displaystyle Pos(b)}$.

Each node in T contains an array with at most K triples. Each triple is of the form ${\displaystyle (b,Pos(b),v)}$, where b is a block identifier and v is the contents of the block. Here, K is a security parameter and is ${\displaystyle O({\text{poly}}\log n)}$.

An illustration of the memory of the oblivious program showing the binary tree and position map.

#### Description of the oblivious program

The program Π′ starts by initializing its memory as well as registers to . Describing the procedures Owrite and Oread is enough to complete the description of Π′. The sub-routine Owrite is given below. The inputs to the sub-routine are a memory location ${\displaystyle l\in [n]}$ and the value v to be stored at the location l. It has three main phases, namely FETCH, PUT_BACK and FLUSH.

    input: a location l, a value v

    Procedure FETCH     // Search for the required block.
${\displaystyle b\leftarrow \lfloor l/\alpha \rfloor }$          // b is the block containing l.
${\displaystyle i\leftarrow l\mod \alpha }$          // i is l's component in the block b.
${\displaystyle pos\leftarrow Pos(b)}$
if ${\displaystyle pos=\perp }$ then ${\displaystyle pos\leftarrow _{R}[n/\alpha ]}$.          // Set ${\displaystyle pos}$ to a uniformly random leaf in T.
flag ${\displaystyle \leftarrow 0}$.
for each node N on the path the path from root to ${\displaystyle pos}$ do
if N has a triple of the form ${\displaystyle (b,pos,x)}$ then
Remove ${\displaystyle (b,pos,x)}$ from N, store x in a register, and write back the updated N to T.
flag ${\displaystyle \leftarrow 1}$.
else
Write back N to T.
Procedure PUT_BACK     // Add back the updated block at the root.
${\displaystyle pos'\leftarrow _{R}[n/\alpha ]}$.     // Set ${\displaystyle pos'}$ to a uniformly random leaf in T.
if flag${\displaystyle =1}$ then
Set ${\displaystyle x'}$ to be same as x except for v at the i-th position.
else
Set ${\displaystyle x'}$ to be a block with v at i-th position and ⊥'s everywhere else.
if there is space left in the root then
Add the triple ${\displaystyle (b,pos',x')}$ to the root of T.
else
Abort outputting overflow.
Procedure FLUSH     // Push the blocks present in a random path as far down as possible.
${\displaystyle pos^{*}\leftarrow _{R}[n/\alpha ]}$.     // Set ${\displaystyle pos^{*}}$ to a uniformly random leaf in T.
for each triple ${\displaystyle (b'',pos'',v'')}$ in the nodes traversed the path from root to ${\displaystyle pos^{*}}$
Push down this triple to the node N that corresponds to the longest common prefix of ${\displaystyle pos''}$ and ${\displaystyle pos^{*}}$.
if at any point some bucket is about to overflow then
Abort outputting overflow.


The task of the FETCH phase is to look for the location l in the tree T. Suppose ${\displaystyle pos}$ is the leaf associated with the block containing location l. For each node N in T on the path from root to ${\displaystyle pos}$, this procedure goes over all triples in N and looks for the triple corresponding to the block containing l. If it finds that triple in N, it removes the triple from N and writes back the updated state of N. Otherwise, it simply writes back the whole node N.

In the next phase, it updates the block containing l with the new value v, associates that block with a freshly sampled uniformly random leaf of the tree, writes back the updated triple to the root of T.

The last phase, which is called FLUSH, is an additional operation to release the memory cells in the root and other higher internal nodes. Specifically, the algorithm chooses a uniformly random leaf ${\displaystyle pos^{*}}$ and then tries to push down every node as much as possible along the path from root to ${\displaystyle pos^{*}}$. It aborts outputting an overflow if at any point some bucket is about to overflow its capacity.

The sub-routine Oread is similar to Owrite. For the Oread sub-routine, the input is just a memory location ${\displaystyle l\in [n]}$ and it is almost the same as Owrite. In the FETCH stage, if it does not find a triple corresponding to the location l, it returns as the value at location l. In the PUT_BACK phase, it will write back the same block that it read to the root, after associating it with a freshly sampled uniformly random leaf.

#### Correctness of the simple ORAM scheme

Let C stand for the ORAM compiler that was described above. Given a program Π, let Π′ denote ${\displaystyle C(\Pi )}$. Let ${\displaystyle \Pi (n,x)}$ denote the execution of the program Π on an input x using n memory cells. Also, let ${\displaystyle {\tilde {\Pi }}(n,x)}$ denote the memory access pattern of ${\displaystyle \Pi (n,x)}$. Let μ denote a function such that for any ${\displaystyle n\in \mathbb {N} }$, for any program Π and for any input ${\displaystyle x\in \{0,1\}^{*}}$, the probability that ${\displaystyle \Pi '(n,x)}$ outputs an overflow is at most ${\displaystyle \mu (n)}$. The following lemma is easy to see from the description of C.

Equivalence Lemma
Let ${\displaystyle n\in \mathbb {N} }$ and ${\displaystyle x\in \{0,1\}^{*}}$. Given a program Π, with probability at least ${\displaystyle 1-\mu (n)}$, the output of ${\displaystyle \Pi '(n,x)}$ is identical to the output of ${\displaystyle \Pi (n,x)}$.

It is easy to see that each Owrite and Oread operation traverses root to leaf paths in T chosen uniformly and independently at random. This fact implies that the distribution of memory access patterns of any two programs that make the same number of memory accesses are indistinguishable, if they both do not overflow.

Obliviousness Lemma
Given two programs ${\displaystyle \Pi _{1}}$ and ${\displaystyle \Pi _{2}}$ and two inputs ${\displaystyle x_{1},x_{2}\in \{0,1\}^{*}}$ such that ${\displaystyle |{\tilde {\Pi _{1}}}(x_{1},n)|=|{\tilde {\Pi _{2}}}(x_{2},n)|}$, with probability at least ${\displaystyle 1-2\mu (n)}$, the access patterns ${\displaystyle {\tilde {\Pi _{1}'}}(x_{1},n)}$ and ${\displaystyle {\tilde {\Pi _{2}'}}(x_{2},n)}$ are identical.

The following lemma completes the proof of correctness of the ORAM scheme.

Overflow Lemma
There exists a negligible function μ such that for very program Π, every n and input x, the program ${\displaystyle \Pi '(n,x)}$ outputs overflow with probability at most ${\displaystyle \mu (n)}$.

During each Oread and Owrite operation, two random root-to-leaf paths of T are fully explored by Π′. This takes ${\displaystyle O(K\cdot \log(n/\alpha ))}$ time. This is the same as the computational overhead, and is ${\displaystyle O({\text{poly}}\log n)}$ since K is ${\displaystyle O({\text{poly}}\log n)}$.

The total memory used up by Π′ is equal to the size of T. Each triple stored in the tree has ${\displaystyle \alpha +2}$ words in it and thus there are ${\displaystyle K(\alpha +2)}$ words per node of the tree. Since the total number of nodes in the tree is ${\displaystyle O(n/\alpha )}$, the total memory size is ${\displaystyle O(nK)}$ words, which is ${\displaystyle O(n{\text{ poly}}\log n)}$. Hence, the memory overhead of the construction is ${\displaystyle O({\text{poly}}\log n)}$.

## References

1. ^ a b c Oded Goldreich. 1987. Towards a theory of software protection and simulation by oblivious RAMs. In Proceedings of the nineteenth annual ACM symposium on Theory of computing (STOC '87), Alfred V. Aho (Ed.). ACM, New York, NY, USA, 182-194. doi:10.1145/28395.28416
2. ^ Nicholas Pippenger and Michael J. Fischer. 1979. Relations among complexity measures. Journal of ACM. DOI = http://dl.acm.org/citation.cfm?id=322138
3. ^ a b c Kai-Min Chung and Rafael Pass. 2013. A simple ORAM. IACR Cryptology ePrint Archive. DOI = http://eprint.iacr.org/2013/243
4. ^ a b Rafail Ostrovsky. Efficient computation on oblivious rams. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13–17, 1990.
5. ^ a b c d Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious rams. Journal of ACM.1996
6. ^ a b Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. On the (in) security of hash-based oblivious ram and a new balancing scheme. In Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete Algorithms. 2012
7. ^ Rafail Ostrovsky and Victor Shoup. Private information storage (extended abstract). In Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing. 1997.
8. ^ a b Elaine Shi, T-H Hubert Chan, Emil Stefanov, and Mingfei Li. Oblivious ram with ${\displaystyle O((\log n)^{3})}$ worst-case cost. In Advances in Cryptology. ASIACRYPT 2011.
9. ^ Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. Oblivious ram simulation with efficient worst-case access overhead. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop. 2011.
10. ^ Kai-Min Chung, Zhenming Liu, and Rafael Pass. Statistically-secure ORAM with ${\displaystyle {\tilde {O}}(\log ^{2}n)}$ overhead. In Advances in Cryptology - ASIACRYPT 2014.
11. ^ a b Miklos Ajtai. Oblivious rams without cryptographic assumptions. In Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC. 2010
12. ^ a b c Ivan Damgard, Sigurd Meldgaard, and Jesper Buus Nielsen. Perfectly secure oblivious RAM without random oracles. In Theory of Cryptography Conference, TCC. 2011
13. ^ Elette Boyle and Moni Naor. Is there an oblivious RAM lower bound? In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science. 2016.
• J. Bentley (2000), Programming Pearls 2nd Edition. Addison-Wesley, Inc. ISBN 0-201-65788-0
• Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. On the (in) security of hash-based oblivious RAM and a new balancing scheme. In Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete Algorithms, pages 143–156. SIAM, 2012.
• Knuth, D. E. (1973). The Art of Computer Programming, volume 3: Sorting and Searching. Addison Wesley.
• Oded Goldreich, Rafail Ostrovsky. Software protection and simulation on oblivious RAMs. Published in Journal of the ACM, volume 43 issue 3, May 1996, page 431-473.
• Yuqun Chen, Ramarathnam Venkatesan, Matthew Cary, Ruoming Pang, Saurabh Sinha, and Mariusz H. Jakubowski. Oblivious hashing: A stealthy software integrity verification primitive. Microsoft research, 2002.