OptORAMa: Optimal Oblivious RAM

1.1 Our Results: Optimal Oblivious RAM

We resolve this long-standing problem by showing a matching upper bound to Larsen and Nielsen’s [41] lower bound: an ORAM scheme with \(O(\log N)\) overhead and negligible security in \(\lambda\), where \(N\) is the size of the memory and \(\lambda\) is the security parameter, assuming one-way functions. More concretely, we show²:

An ORAM consists of a client (a.k.a. CPU) and a remote RAM. The client has a small trusted memory. Throughout this article, we shall assume a standard word-RAM where each memory word has at least \(w=\log N\) bits, i.e., large enough to store its own logical address. We assume that word-level addition and boolean operations can be done in unit cost. We assume that the CPU has a constant number of private registers. For our ORAM construction, we additionally assume that a single evaluation of a pseudorandom function (PRF), resulting in at least word-size number of pseudo-random bits, can be done in unit cost.³ Note that all earlier computationally secure ORAM schemes, starting with the work of Goldreich and Ostrovsky [29, 31], make the same set of assumptions. Additionally, we remark that our result can be made statistically secure if one assumes a private random oracle to replace the PRF (the known logarithmic ORAM lower bound [29, 31, 41] still holds in this setting). In our model, the memory is completely passive and does not perform any computation beyond what it is instructed. Finally, we note that our construction suffers from huge constants due to the use of certain expander graphs; improving the concrete constant is left for future work.

In Appendix A we provide a comparison with previous works, where we make the comparison more accurate and meaningful by explicitly stating the dependence on the error probability (which was assumed to be some negligible functions in previous works).

1.2 Our Results: Optimal Oblivious Tight Compaction

Closing the remaining \(\log \log N\) gap for ORAM turns out to be highly challenging. Along the way, we actually construct an important building block, that is, a deterministic, linear-time, oblivious tight compaction algorithm. This result is an important contribution on its own, and has intimate connections to classical algorithms questions, as we explain below.

Tight compaction is the following task: given an input array of size \(n\) containing either real or dummy elements, output a permutation of the input array where all real elements appear in the front. Tight compaction can be considered as a restricted form of sorting, where each element in the input array receives a 1-bit key, indicating whether it is real or dummy. One naïve solution for tight compaction, therefore, is to rely on oblivious sorting to sort the input array [1, 32]; unfortunately, due to recent lower bounds [22, 44], we know that any oblivious sorting scheme must incur \(\Omega (n \cdot \log n)\) time on a word-RAM, either assuming that the algorithm treats each element as “indivisible” [44] or assuming that the famous Li-Li network coding conjecture [43] is true [22].

A natural question, therefore, is whether we can do asymptotically better than just naïvely sorting the input. It turns out that this question is related to a line of work in the classical algorithms literature, that is, the design of switching networks and routing on such networks [1, 4, 5, 23, 55, 56]. First, a line of combinatorial works showed the existence of linear-sized super-concentrators [54, 55, 62], i.e., switching networks with \(n\) inputs and \(n\) outputs such that vertex-disjoint paths exist from any \(k\) elements in the inputs to any \(k\) positions in the outputs. One could leverage a linear-sized super-concentrator construction to obliviously route all the real elements in the input to the front of the output array deterministically and in linear time (by routing elements along the routes), but it is not clear yet how to find routes (i.e., a set of vertex-disjoint paths) from the real input positions to the front of the output array.

In an elegant work in 1996, Pippenger [56] showed a deterministic, linear-time algorithm for route-finding but unfortunately, the algorithm is not oblivious. Shortly afterward, Leighton et al. [42] showed a probabilistic algorithm that tightly compacts \(n\) elements in \(O(n \cdot \log \log \lambda)\) time with \(1-{\sf negl}(\lambda)\) probability—their algorithm is almost oblivious except for leaking the number of reals and dummies. After Leighton et al. [42], this line of work remained somewhat stagnant for almost two decades. Only recently, did we see some new results: Mitchell and Zimmerman [49] as well as Lin et al. [44] showed how to achieve the same asymptotics as Leighton et al. [42] but now making the algorithm fully oblivious.

In this article, we give an explicit construction of a deterministic, oblivious algorithm that tightly compacts any input array of \(n\) elements in linear time, as stated in the following theorem:

Our algorithm is not comparison-based and not stable and this is inherent. Specifically, Lin et al. [44] recently showed that any stable, oblivious tight compaction algorithm (that treats elements as indivisible) must incur \(\Omega (n \cdot \log n)\) runtime, where stability requires that the real elements in the output must appear in the same order as the input. Further, due to the well-known 0-1 principle [18, 66], any comparison-based tight compaction algorithm must incur at least \(\Omega (n\cdot \log n)\) runtime as well.⁴

Not only does the above compaction algorithm play a key role at several points in our ORAM construction, but it is a useful primitive independently. For example, we use our compaction algorithm to give a perfectly oblivious algorithm that randomly permutes arrays of \(n\) elements in (worst-case) \(O(n\cdot \log n)\) time. All previously known such constructions have some probability of failure.

1.3 Related Works

Goldreich and Ostrovsky [29, 31] introduced the problem of Oblivious RAM, and also introduced the hierarchical framework. The works of [12, 53] (see also [33, 40]) showed how to reduce the overhead of Goldreich and Ostrovsky’s construction. We refer to Appendix A for a detailed analysis of the different overheads. Besides the hierarchical paradigm, Shi et al. [58] propose the tree-based paradigm for constructing ORAMs. Subsequent works [15, 16, 61, 63] have improved tree-based constructions, culminating in the works of Circuit ORAM [63] and Circuit OPRAM [15].

2.1 Oblivious RAM

In this section, we present a high-level description of the main ideas and techniques underlying our ORAM construction. Full details are given later in the corresponding technical sections.

Hierarchical ORAM. The hierarchical ORAM framework, introduced by Goldreich and Ostrovsky [29, 31] and improved in subsequent works (e.g., [12, 33, 40]), works as follows. For a logical memory of \(N\) blocks, we construct a hierarchy of hash tables, henceforth denoted \(T_1,\ldots ,T_L\) where \(L = \log N\). Each \(T_i\) stores \(2^i\) memory blocks. We refer to table \(T_i\) as the \(i\)th level. In addition, we store a next to each table a flag indicating whether the table is full or empty. When receiving an access request to \({\mathsf {read}}/{\mathsf {write}}\) some logical memory address \({\mathsf {addr}}\), the ORAM proceeds as follows:

For each access, we perform \(\log N\) lookups, one per hash table. Moreover, after \(t\) accesses, we rebuild the \(i\)th table \(\lceil t/2^{i} \rceil\) times. When implementing the hash table using the best known oblivious hash table (e.g., oblivious Cuckoo hashing [12, 33, 40]), building a level with \(2^k\) items obliviously requires \(O(2^k \cdot \log (2^k))=O(2^k \cdot k)\) time. This building algorithm is based on oblivious sorting, and its time overhead is inherited from the time overhead of the oblivious sort procedure (specifically, the best known algorithm for obliviously sorting \(n\) elements takes \(O(n\cdot \log n)\) time [1, 32]). Thus, summing over all levels (and ignoring the \(\log N\) lookup operations across different levels for each access), \(t\) accesses require \(\sum _{i=1}^{\log N} \lceil \frac{t}{2^{i}}\rceil \cdot O(2^{i} \cdot i) = O(t \cdot \log ^2 N)\) time. On the other hand, lookup takes essentially constant time per level (ignoring searching in stashes which introduce an additive factor), and this \(O(\log N)\) per access. Thus, there is an asymmetry between build time and lookup time, and the main overhead is the build.

The work of Patel et al. [53].. Classically (e.g., [12, 29, 31, 33, 40]), oblivious hash tables were built to support (and be secure for) every input array. This required expensive oblivious sorting, causing the extra logarithmic factor. The key idea of Patel et al. [53] is to modify the hierarchical ORAM framework to realize ORAM from a weaker primitive: an oblivious hash table that works only for randomly shuffled input arrays. Patel et al. describe a novel oblivious hash table such that building a hash table containing \(n\) elements can be accomplished without oblivious sorting and consumes only \(O(n \cdot \log \log \lambda)\) total time⁵ and lookup consumes \(O(\log \log n)\) total time. Patel et al. argue that their hash table construction retains security not necessarily for every input, but when the input array is randomly permuted, and moreover the input permutation is unknown to the adversary.

To be able to leverage this relaxed hash table in hierarchical ORAM, a remaining question is the following: whenever a level is being rebuilt in the ORAM (i.e., a new hash table is being constructed), how do we make sure that the input array is randomly and secretly shuffled? A naïve answer is to employ an oblivious random permutation to permute the input, but known oblivious random permutation constructions require oblivious sorting which brings us back to our starting point. Patel et al. solve this problem and show that there is no need to completely shuffle the input array. Recall that when building some level \(T_\ell\), the input array consists of only unvisited elements in tables \(T_0,\ldots ,T_{\ell -1}\) (and \(T_\ell\) too if \(\ell\) is the largest level). Patel et al. argue that the unvisited elements in tables \(T_0,\ldots ,T_{\ell -1}\) are already randomly permuted within each table and the permutation is unknown to the adversary. Then, they presented a new algorithm, called multi-array shuffle, that combines these arrays to a shuffled array within \(O(n \cdot \log \log \lambda)\) time, where \(n = |T_0|+|T_1|+\cdots +|T_{\ell -1}|\).⁶ The algorithm is somewhat involved, randomized, and has a negligible probability of failure.

The blueprint.. Our construction builds upon and simplifies the construction of Patel et al. To get better asymptotic overhead, we improve their construction in two different aspects:

We describe the core ideas behind these improvements next. In Section 2.1.1, we present our multi-array shuffle algorithm. In Section 2.1.2, we show how to construct a hash table for shuffled inputs achieving linear build time and constant lookup.

2.2 Tight Compaction

Recall that tight compaction can be considered as a restricted form of sorting, where each element in the input array receives a 1-bit key, indicating whether it is real or dummy. The goal is to move all the real elements in the array to the front obliviously, and without leaking how many elements are reals. We show a deterministic algorithm for this task.

Reduction to loose compaction.. Pippenger’s self-routing super-concentrator construction [56] proposes a technique that reduces the task of tight compaction to that of loose compaction. Informally speaking, loose compaction receives as input a sparse array, containing a few real elements and many dummy elements. The output is a compressed output array, containing all real elements but the procedure does not necessarily remove all the dummy elements. More concretely, we care about a specific form of loose compactor (parametrized by \(n\)): consider a suitable bipartite expander graph that has \(n\) vertices on the left and \(n/2\) vertices on the right where each node has a constant degree. At most \(1/128\) fractions of the vertices on the left will receive a real element, and we would like to route all real elements over vertex-disjoint paths to the right side such that every right vertex receives at most 1 element. The crux is to find a set of satisfying routes in linear time and obliviously. Once a set of feasible routes have been identified, it is easy to see that performing the actual routing can be done obliviously in linear time (and for obliviousness we need to route a dummy element over an edge that bears 0 load). During this process, we effectively compress the sparse input array (represented by vertices on the left) by \(1/2\) without losing any element.

Using Pippenger’s techniques [56] and with a little extra work, we can derive the following claim—at this point we simply state the claim while deferring algorithmic details to subsequent technical sections. Below \(D\) denotes the number of bits it takes to encode an element and \(w\) denotes the word size:

• Claim: There exist appropriate constants \(C, C^{\prime } \gt 6\) such that the following holds: if we can solve the aforementioned loose compaction problem obliviously in time \(T(n)\) for all \(n \le n_0\), then we can construct an oblivious algorithm that tightly compacts \(n\) elements in time \(C \cdot T(n) + C^{\prime } \cdot \lceil D/w \rceil \cdot n\) for all \(n \le n_0\).

As mentioned, the crux is to find satisfying routes for such a “loose compactor” bipartite graph obliviously and in linear time. Achieving this is non-trivial: for example, the recent work of Chan et al. [14] attempted to do this but their route-finding algorithm requires \(O(n \log n)\) runtime—thus Chan et al. [14]’s work also implies a loose compaction algorithm that runs in time \(O(n \log n + \lceil D/w \rceil \cdot n)\). To remove the extra \(\log n\) factor, we introduce two new ideas, packing, and decomposition—in fact both ideas are remotely reminiscent of a line of works in the core algorithms literature on (non-comparison-based, non-oblivious) integer sorting on RAMs [2, 17, 36] but obviously, we apply these techniques to a different context.

Packing: linear-time compaction for small instances.. We observe that the offline route-finding phase operates only on metadata. Specifically, the route-finding phase receives the following as input: an array of \(n\) bits where the \(i\)th bit indicates whether the \(i\)th input position is real or dummy. If the problem size \(n\) is small, specifically, if \(n \le w/\log w\) where \(w\) denotes the width of a memory word, we can pack the entire problem into a single memory word (since each element’s index can be described in \(\log n\) bits). In our technical sections we will show how to rely on word-level addition and boolean operations to solve such small problem instances in \(O(n)\) time. At a high level, we follow the slow route-finding algorithm by Chan et al. [14], but now within a single memory word, we can effectively perform SIMD-style operations and we exploit this to speed up Chan et al. [14]’s algorithm by a logarithmic factor for small instances.

Relying on the above Claim that allows us to go from loose to tight, we now have an \(O(n)\)-time oblivious tight compaction algorithm for small instances where \(n \le w / \log w\); specifically, if the loose compaction algorithm takes \(C_0 \cdot n\) time for \(C_0\ge 1\), then the runtime of the tight compaction would be upper bounded by \(C \cdot C_0 \cdot n + C^{\prime } \cdot \lceil D/w \rceil \cdot n \le C \cdot C_0 \cdot C^{\prime } \cdot \lceil D/w \rceil \cdot n\).

Decomposition: bootstrapping larger instances of compaction.. With this logarithmic advantage we gain in small instances, our hope is to bootstrap larger instances by decomposing larger instances into smaller ones.

Our bootstrapping is done in two steps—as we calculate below, each time we bootstrap, the constant hidden inside the \(O(n)\) runtime blows up by a constant factor; thus it is important that the bootstrapping is done for only \(O(1)\) times.

3.1 Oblivious Machines

We define an oblivious simulation of (possibly randomized) functionalities. We provide a unified framework that enables us to adopt composition theorems from secure computation literature (see, for example, Canetti and Goldreich [9, 10, 30]), and to prove constructions in a modular fashion.

Random-access machines.. A RAM is an interactive Turing machine that consists of a memory and a CPU. The memory is denoted as \({\mathsf {mem}} [{N},{w}]\), and is indexed by the logical address space \([N] = \lbrace 1,2,\ldots ,N\rbrace\). We refer to each memory word also as a block and we use \({{w}}\) to denote the bit-length of each block. The CPU has an internal state that consists of \(O(1)\) words. The memory supports read/write instructions \((\mathsf {op},{\mathsf {addr}}, {\mathsf {data}})\), where \(\mathsf {op} \in \lbrace {\mathsf {read}},{\mathsf {write}} \rbrace\), \({\mathsf {addr}} \in [N]\) and \({\mathsf {data}} \in \lbrace 0,1\rbrace ^{{w}}\cup \lbrace \bot \rbrace\). If \(\mathsf {op} = {\mathsf {read}}\), then \({\mathsf {data}} =\bot\) and the returned value is the content of the block located in logical address \({\mathsf {addr}}\) in the memory. If \(\mathsf {op} ={\mathsf {write}}\), then the memory data in logical address \({\mathsf {addr}}\) is updated to \({\mathsf {data}}\). We use the standard setting that \({w}= \Theta (\log N)\) (so a word can store an address). We follow the convention that the CPU performs one word-level operation per unit time, i.e., arithmetic operations (addition or subtraction), bitwise operations (AND, OR, NOT, or shift), memory accesses (read or write), or evaluating a pseudorandom function [12, 31, 33, 40, 41, 53].

Oblivious simulation of a (non-reactive) functionality.. We consider machines that interact with the memory via \({\mathsf {read}}/{\mathsf {write}}\) operations. We are interested in defining sub-functionalities such as oblivious sorting, oblivious shuffling of memory contents, and more, and then define more complex primitives by composing the above. For simplicity, we assume for now that the adversary cannot see memory contents, and does not see the \({\mathsf {data}}\) field in each operation \((\mathsf {op},{\mathsf {addr}},{\mathsf {data}})\) that the memory receives. That is, the adversary only observes \((\mathsf {op},{\mathsf {addr}})\). One can extend the constructions for the case where the adversary can also observe \({\mathsf {data}}\) using symmetric encryption in a straightforward way.

We define oblivious simulation of a RAM program. Let \(f:\lbrace 0,1\rbrace ^* \rightarrow \lbrace 0,1\rbrace ^*\) be a (possibly randomized) functionality in the RAM model. We denote the output of \(f\) on input \(x\) to be \(f(x) = y\). Oblivious simulation of \(f\) is a RAM machine \(M_f\) that interacts with the memory, has the same input/output behavior, but its access pattern to the memory can be simulated. More precisely, we let \(({\sf out},{\sf Addrs})\leftarrow M_f(x)\) be a pair of random variables where \({\sf out}\) corresponds to the output of \(M_f\) on input \(x\) and where \({\sf Addrs}\) define the sequence of memory accesses during the execution. We say that the machine \(M_f\) implements the functionality \(f\) if it holds that for every input \(x\), the distribution \(f(x)\) is identical to the distribution \({\sf out}\), where \(({\sf out},\cdot) \leftarrow M_f(x)\). In terms of security, we require oblivious simulation which we formalize by requiring the existence of a simulator that simulates the distribution of \({\sf Addrs}\) without knowing \(x\).

Later in our theorem statements, we often wish to explicitly characterize the security failure probability. Thus we also say that \(M_f\)\((1-\delta)\)-obliviously simulates the functionality \(f\), iff no non-uniform \(\texttt{PPT}\)\({\mathcal {A}} (1^\lambda)\) can distinguish the above joint distributions with probability more than \(\delta (\lambda)\)—note that the failure probability \(\delta\) is allowed to depend on the adversary \({\mathcal {A}}\)’s algorithm and running time. Additionally, a 1-oblivious algorithm is also called perfectly-oblivious.

Intuitively, the above definition requires indistinguishability of the joint distribution of the output of the computation and the access pattern, similarly to the standard definition of secure computation in which the joint distribution of the output of the function and the view of the adversary is considered (see the relevant discussions in Canetti and Goldreich [9, 10, 30]). Note that here we handle correctness and obliviousness in a single definition. As an example, consider an algorithm that randomly permutes some array in the memory, while leaking only the size of the array. Such a task should also hide the chosen permutation. As such, our definition requires that the simulation would output an access pattern that is independent of the output permutation itself.

Parametrized functionalities.. In our definition, the simulator receives no input, except the security parameter and the length of the input. While this is very restricting, the simulator knows the description of the functionality and therefore also its “public” parameters. We sometimes define functionalities with explicit public inputs and refer to them as “parameters”. For instance, the access pattern of a procedure for sorting of an array depends on the size of the array; a functionality that sorts an array will be parameterized by the size of the array, and this size will also be known by the simulator.

Modeling reactive functionalities.. We consider functionalities that are reactive, i.e., proceed in stages, where the functionality preserves an internal state between stages. Such a reactive functionality can be described as a sequence of functions, where each function also receives as input a state, updates it, and outputs an updated state for the next function. We extend Definition 3.2 to deal with such functionalities.

We consider a reactive functionality \({\mathcal {F}}\) as a reactive machine, that receives commands of the form \(({\sf command}_i,{\sf inp}_i)\) and produces an output \({\sf out}_i\), while maintaining some (secret) internal state. An implementation of the functionality \({\mathcal {F}}\) is defined analogously, as an interactive machine \(M_{\mathcal {F}}\) that receives commands of the same form \(({\sf command}_i,{\sf inp}_i)\) and produces outputs \({\sf out}_i\). We say that \(M_{\mathcal {F}}\) is oblivious, if there exists a simulator \({\mathsf {Sim}}\) that can simulate the access pattern produced by \(M_{\mathcal {F}}\) while receiving only \({\sf command}_i\) but not \({\sf inp}_i\). Our simulator \({\mathsf {Sim}}\) is also a reactive machine that might maintain a state between execution.

In more detail, we consider an adversary \(\mathcal {A}\) (i.e., the distinguisher or the “environment”) that participates in either a real execution or an ideal one, and we require that its view in both execution is indistinguishable. The adversary \(\mathcal {A}\) chooses adaptively in each stage the next command \(({\sf command}_i,{\sf inp}_i)\). In the ideal execution, the functionality \({\mathcal {F}}\) receives \(({\sf command}_i,{\sf inp}_i)\) and computes \({\sf out}_i\) while maintaining its secret state. The simulator is then being executed on input \({\sf command}_i\) and produces an access pattern \({\sf Addrs}_i\). The adversary receives \(({\sf out}_i,{\sf Addrs}_i)\). In the real execution, the machine \(M\) receives \(({\sf command}_i,{\sf inp}_i)\) and has to produce \({\sf out}_i\) while the adversary observes the access pattern. We let \(({\sf out}_i, {\sf Addrs}_i) \leftarrow M_f({\sf command}_i,{\sf inp}_i))\) denote the joint distribution of the output and memory accesses pattern produced by \(M\) upon receiving \(({\sf command}_i,{\sf inp}_i)\) as input. The adversary can then choose the next command, as well as the next input, in an adaptive manner according to the output and access pattern it received.

Definition 3.3

(Oblivious Simulation of a Reactive Functionality).

We say that a reactive machine \(M_{\mathcal {F}}\) is an oblivious implementation of the reactive functionality \({\mathcal {F}}\) if there exists a PPT simulator \({\sf Sim}\), such that for any non-uniform PPT (stateful) adversary \(\mathcal {A}\), the view of the adversary \(\mathcal {A}\) in the following two experiments \({\sf Expt}^{{\rm real}, {M}}_{\mathcal {A}}(1^\lambda)\) and \({\sf Expt}^{{\rm ideal}, {\mathcal {F}}}_{\mathcal {A},{\mathsf {Sim}}}(1^\lambda)\) is computationally indistinguishable:

Definition 3.3 can be extended in a natural way to the cases of statistical security (in which \(\mathcal {A}\) is unbounded and its view in both worlds is statistically close), or perfect security (\(\mathcal {A}\) is unbounded and its view is identical).

To allow our theorem statements to explicitly characterize the security failure probability, we also say that \(M_f\)\((1 -\delta)\)-obliviously simulates the reactive functionality \(\mathcal {F}\), iff no non-uniform probabilistic polynomial-time \({\mathcal {A}} (1^\lambda)\) can distinguish the above joint distributions with probability more than \(\delta (1^\lambda)\)—note that the failure probability \(\delta\) is allowed to depend on the adversary \({\mathcal {A}}\)’s algorithm and running time.

An example: ORAM. An example of a reactive functionality is an ordinary ORAM, implementing logical memory. Functionality 3.4 is a reactive functionality in which the adversary can choose the next command (i.e., either \({\mathsf {read}}\) or \({\mathsf {write}}\)) as well as the address and data according to the access pattern it has observed so far.

Definition 3.3 requires the existence of a simulator that on each \({\sf Access}\) command only knows that such a command occurred, and successfully simulates the access pattern produced by the real implementation. This is a strong notion of security since the adversary is adaptive and can choose the next command according to what it has seen so far.

Hybrid model and composition.. We sometimes describe executions in a hybrid model. In this case, a machine \(M\) interacts with the memory via \({\mathsf {read}}/{\mathsf {write}}\)-instructions and in addition, can also send \({\mathcal {F}}\)-instructions to the memory. We denote this model as \(M^{\mathcal {F}}\). When invoking a functionality \({\mathcal {F}}\), we assume that it only affects the address space on which it is instructed to operate; this is achieved by first copying the relevant memory locations to a temporary position, running \({\mathcal {F}}\) there, and finally copying the result back. This is the same whether \({\mathcal {F}}\) is reactive or not. Definition 3.3 is then modified such that the access pattern \({\sf Addrs}_i\) also includes the commands sent to \({\mathcal {F}}\) (but not the inputs to the command). When a machine \(M^{\mathcal {F}}\) obliviously implements a functionality \({\mathcal {G}}\) in the \({\mathcal {F}}\)-hybrid model, we require the existence of a simulator \({\mathsf {Sim}}\) that produces the access pattern exactly as in Definition 3.3, where here the access pattern might also contain \({\mathcal {F}}\)-commands.

The concurrent composition follows from [10], since our simulations are universal and straight-line. Thus, if (1) some machine \(M\) obliviously simulates some functionality \({\mathcal {G}}\) in the \({\mathcal {F}}\)-hybrid model, and (2) there exists a machine \(M_{\mathcal {F}}\) that obliviously simulate \({\mathcal {F}}\) in the plain model, then there exists a machine \(M^{\prime }\) that obliviously simulate \({\mathcal {G}}\) in the plain model.

Input assumptions.. In some algorithms, we assume that the input satisfies some assumptions. For instance, we might assume that the input array for some procedure is randomly shuffled or that it is sorted according to some key. We can model the input assumption \({\mathcal {X}}\) as an ideal functionality \({\mathcal {F}}_{\mathcal {X}}\) that receives the input and “rearranges” it according to the assumption \(\mathcal {X}\). Since the mapping between an assumption \(\mathcal {X}\) and the functionality \({\mathcal {F}}_{\mathcal {X}}\) is usually trivial, and can be deduced from context, we do not always describe it explicitly.

We then prove statements of the form: “The algorithm \(A\) with input satisfying assumption \(\mathcal {X}\) obliviously implements a functionality \({\mathcal {F}}\)”. This should be interpreted as an algorithm that receives \(x\) as input, invokes \({\mathcal {F}}_{\mathcal {X}}(x)\) and then invokes \(A\) on the resulting input. We require that this modified algorithm implements \({\mathcal {F}}\) in the \({\mathcal {F}}_{\mathcal {X}}\)-hybrid model.

4.1 Oblivious Sorting Algorithms

The elegant work of Ajtai et al. [1] shows that there is a comparator-based circuit with \(O\left(n\cdot \log n\right)\) comparators that can sort any array of length \(n\).

Packed oblivious sort.. We consider a variant of the oblivious sorting problem on a RAM, which is useful when each memory word can hold up to \(B \gt 1\) elements. The following theorem assumes that the RAM can perform only word-level addition, subtraction, and bitwise operations in unit cost (as defined in Section 3.1).

Proof.

We use a variant of bitonic sort, introduced by Batcher [5]. It is well-known that, given a list of \(n\) elements, bitonic sort runs in \(O(n \cdot \log ^2 n)\) time. The algorithm, viewed as a sorting network, proceeds in \(O(\log ^2 n)\) iterations, where each iteration consists of \(\frac{n}{2}\) comparators (see Figure 1). In each iteration, the comparators are totally parallelizable, but our goal is to perform the comparators efficiently using standard word-level operation, i.e., to perform each iteration in \(O(\frac{n}{B})\) standard word-level operations. The intuition is to pack sequentially \(O(B)\) elements into each word and then apply single-instruction-multiple-data(SIMD) comparators, where a SIMD comparator emulates \(O(B)\) standard comparators using only constant time. We show the following facts: (1) each iteration runs in \(O(\frac{n}{B})\) SIMD comparators and \(O(\frac{n}{B})\) time, and (2) each SIMD comparator can be instantiated by a constant number of word-level subtraction and bitwise operations.

Fig. 1.

View Figure

To show fact (1), we first assume without loss of generality that \(n\) and \(B\) are powers of 2. We refer to the packed array which is the array of \(\frac{n}{B}\) words, where each word stores \(B\) elements. Then, for each iteration, we want a procedure that takes as input the packed array from the previous iteration, and outputs the packed array that is processed by the comparators prescribed in the standard bitonic sort. To use SIMD comparators efficiently and correctly, for each comparator, the input pair of elements has to be aligned within the pair of two words. We say that two packed arrays are aligned if and only if the offset between each two words is the same. Hence, it suffices to show that it takes \(O(1)\) time to align \(O(B)\) pairs of elements. By the definition of bitonic sort, in the same iteration, the offset between any compared pair is the same power of 2 (see Figure 1). Since \(B\) is also a power of 2, one of the following two cases holds:

(a)	All comparators consider two elements from two distinct words, and elements are always aligned in the input.
(b)	All comparators consider two elements from the same word, but the offset \(t\) between any compared pair is the same power of 2.

In case (a), the required alignment follows immediately. In case (b), it suffices to do the following:

(1)	Split one word into two words such that elements of the offset \(t\) are interleaved, where the two words are called odd and even, and then
(2)	Shift the even word by \(t\) elements so the comparators are aligned to the odd word.

The above procedure takes \(O(1)\) time. Indeed, there are two applications of the comparators, and thus it blows up the cost of the operation by a factor of 2. Thus, the algorithm of an iteration aligns elements, applies SIMD comparators, and then reverses the alignment. Every iteration runs \(O\left(\frac{n}{B}\right)\) SIMD comparators plus \(O\left(\frac{n}{B}\right)\) time.

For fact (2), note that to compare \(k\)-bit strings it suffices to perform \((k+1)\)-bit subtraction (and then use the sign bit to select one string). Hence, the intuition to instantiate the SIMD comparator is to use “SIMD” subtraction, which is the standard word subtraction but the packed elements are augmented by the sign bit. The procedure is as follows. Let \(k\) be the bit-length of an element such that \(B\cdot k\) bits fit into one memory word. We write the \(B\) elements stored in a word as a vector \(\vec{a} = (a_1, \ldots , a_B)\in (\lbrace 0,1\rbrace ^{k})^B\). It suffices to show that for any \(\vec{a} = (a_1, \ldots , a_B)\) and \(\vec{b} = (b_1, \ldots , b_B)\) stored in two words, it is possible to compute the mask word \(\vec{m} = (m_1, \ldots , m_B)\) such that \(\begin{align*} m_i = {\left\lbrace \begin{array}{ll} 1^k & \mbox{if } a_i \ge b_i\\ 0^k & \mbox{otherwise.} \end{array}\right.} \end{align*}\) For binary strings \(x\) and \(y\), let \(xy\) be the concatenation of \(x\) and \(y\). Let \(*\) be a wild-card bit. Assume additionally that the elements are packed with additional sign bits, i.e., \(\vec{a} = \left(*a_1, *a_2, \dots , *a_B\right)\). This can be done by simply splitting one word into two. Consider two input words \(\vec{a} = \left(1 a_1, \right.\left. 1 a_2, \dots , 1 a_B\right)\) and \(\vec{b} = \left(0 b_1, 0 b_2, \dots , 0 b_B\right)\) such that \(a_i, b_i \in \lbrace 0,1\rbrace ^k\). The procedure runs as follows:

(1)	Let \(\vec{s^{\prime }} = \vec{a} - \vec{b}\), which has the format \((s_1 *^k, s_2 *^k, \dots , s_B *^k)\), where \(s_i \in \lbrace 0,1\rbrace\) is the sign bit such that \(s_i = 1\) iff \(a_i \ge b_i\). Keep only sign bits and let \(\vec{s} = (s_1 0^k, \dots , s_B 0^k)\).
(2)	Shift \(\vec{s}\) and get \(\vec{m^{\prime }} = (0^k s_1, \dots , 0^k s_B)\). Then, the mask is \(\vec{m} = \vec{s} - \vec{m^{\prime }} = (0s_1^k, \dots , 0s_B^k)\).

The above takes \(O(1)\) subtraction and bitwise operations. This concludes the proof.□

4.2 Oblivious Random Permutations

We say that an algorithm \({\sf ORP}\) is a statistically secure oblivious random permutation, iff ORP statistically obliviously simulates the functionality \(\mathcal {F}_{\rm perm}\) which, upon receiving an input array of \(n\) elements, chooses a random permutation \(\pi\) from the space of all \(n!\) permutations on \(n\) elements, uses \(\pi\) to permute the input array, and outputs the result. Note that this definition implies that not only does ORP output an almost random permutation of the input array; moreover, the access patterns of ORP are statistically close for all input arrays and all permutations. As before, we use the notation \((1-\delta)\)-oblivious random permutation to explicitly denote the algorithm’s failure probability \(\delta\).

Later, in our ORAM construction, this version of ORP will be applied to arrays of size \(n \ge \log ^3\lambda\), where \(\lambda\) is a security parameter, and thus the failure probability is bounded by a negligible function in \(\lambda\).

Packed oblivious random permutation.. The following version of oblivious random permutation has good performance when each memory word is large enough to store many copies of the elements to be permuted tagged with their own indices. The algorithm follows directly by plugging in our oblivious packed sort (Theorem 4.2) into the oblivious random permutation algorithm (Theorem 4.3).

Perfect oblivious random permutation.. Note that the permutation of Theorem 4.3 runs in time \(O(n\cdot \log n)\) but it may fail w.p. \(e^{-\sqrt {n}}\). We construct a perfectly oblivious random permutation in this article. This scheme comes as a by-product of our tight compaction and intersperse algorithms that we construct later in Sections 5 and 6.4.

4.3 Oblivious Bin Placement

Let \({\bf I}\) be an input array containing real and dummy elements. Each element has a tag from \(\lbrace 1,\ldots ,|{\bf I}|\rbrace \cup \lbrace \bot \rbrace\). It is guaranteed that all the dummy elements are tagged with \(\bot\) and all real elements are tagged with distinct values from \(\lbrace 1,\ldots ,|{\bf I}|\rbrace\). The goal of oblivious bin placement is to create a new array \({\bf I}^{\prime }\) of size \(|{\bf I}|\) such that a real element that is tagged with the value \(i\) will appear in the \(i\)th cell of \({\bf I}^{\prime }\). If no element was tagged with a value \(i\), then \({\bf I}^{\prime }[i]=\bot\). The values in the tags of real elements can be thought of as “bin assignments” where the elements want to go to and the goal of the bin placement algorithm is to route them to the right location obliviously.

Oblivious bin placement can be accomplished with \(O(1)\) number of oblivious sorts (Section 4.1), where each oblivious sort operates over \(O(|{\bf I}|)\) elements [12, 15]. In fact, these works [12, 15] describe a more general oblivious bin placement algorithm where the tags may not be distinct, but we only need the special case where each tag appears at most once.

4.4 Oblivious Hashing

An oblivious (static) hashing scheme is a data structure that supports three operations \({\sf Build}\), \({\sf Lookup}\), and \({\sf Extract}\) that realizes the following (ideal) reactive functionality. The \({\sf Build}\) procedure is the constructor and it creates an in-memory data structure from an input array \({\bf I}\) containing real and dummy elements where each real element is a (key, value) pair. It is assumed that all real elements in \({\bf I}\) have distinct keys. The \({\sf Lookup}\) procedure allows a requestor to look up the value of a key. A special symbol \(\bot\) is returned if the key is not found or if \(\bot\) is the requested key. We say a (key, value) pair is visited if the key was searched for and found before. We assume non-recurrent lookups, namely, no real key is searched more than once in the lifetime of the hash table. Finally, \({\sf Extract}\) is the destructor and it returns a list containing unvisited elements padded with dummies to the same length as the input array \({\bf I}\).

An important property that our construction relies on is that if the input array \({\bf I}\) is randomly shuffled, to begin with (with a secret permutation), the outcome of \({\sf Extract}\) is also randomly shuffled (in the eyes of the adversary). In addition, we need obliviousness to hold only when the \({\sf Lookup}\) sequence is non-recurrent, i.e., the same real key is never requested twice (but dummy keys can be looked up multiple times). The functionality is formally given next.

Construction of naïveHT.. A naïve, perfectly secure oblivious hashing scheme can be obtained directly [14, 19] from a perfectly secure ORAM construction [14, 19]. Both schemes [14, 19] are Las Vegas algorithms: for any capacity \(n\), it almost always takes \(O(\log ^3 n)\) time to serve a request—however with negligible in \(n\) probability, it may take longer to serve a request. We stress that although the runtime may sometimes exceed the stated bound, there is never any security or correctness failure in the known perfectly secure ORAM constructions [14, 19]. We observe that the scheme of Chan et al. [14] is a Las Vegas algorithm only because the oblivious random permutation they employ is a Las Vegas algorithm. In this article, we actually construct a perfect oblivious random permutation that runs in \(O(n \cdot \log n)\) time with probability 1 (Theorem 4.6). Thus, we can replace the oblivious random permutation in Chan et al. [14] with our own Theorem 4.6. Interestingly, this results in the first non-trivial perfectly oblivious RAM that is not a Las Vegas algorithm.

To construct \({{\sf naïveHT}}\) using an perfectly secure ORAM scheme, we use Theorem 4.8 to compile a standard, balanced binary search tree data structure (e.g., a red-black tree). Finally, Extract can be performed in linear time if we adopt the perfect ORAM of Theorem 4.8 which incurs constant space blowup. In more detail, we flatten the entire in-memory data structure into a single array, and apply oblivious tight compaction (Theorem 1.2) on the array, moving all the real elements to the front. We then truncate the array at length \(|{\bf I}|\), apply a perfectly random permutation on the truncated array, and output the result. This gives the following construction.

Later in our article, whenever we need an oblivious hashing scheme for a small (\(\mathsf {poly}\log (\lambda)\)-sized) bin, we will adopt naïveHT since it is perfectly secure. In comparison, schemes whose failure probability is negligible in the problem size (\(\mathsf {poly}\log (\lambda)\) in this case) may not yield \({\sf negl}(\lambda)\) failure probability. Indeed, almost all known computationally secure [29, 31, 33, 40] or statistically secure [58, 61, 63] ORAM schemes have a (statistical) failure probability that is negligible in the problem’s size and are thus unsuited for small, poly-logarithmically sized bins. In a similar vein, earlier works also employed perfectly secure ORAM schemes to treat poly-logarithmic size inputs [58].

4.5 Oblivious Cuckoo Hashing

A Cuckoo hashing scheme [52] is a hashing method with a constant lookup cost (ignoring the stash). Imagine that we wish to hash \(n\) balls into a table of size \({\sf c_{\sf cuckoo}}\cdot n\), where \({\sf c_{\sf cuckoo}}\gt 1\) is an appropriate fixed constant. Additionally, there is a stash denoted \({\sf S}\) of size \(s\) for holding a small number of overflowing balls. We also refer to each position of the table as a bin, and a bin can hold exactly one ball. Each ball receives two independent bin choices. During the build phase, we execute a Cuckoo assignment algorithm that picks either a bin-choice for each ball among its two specified choices, or assigns the ball to some position in the stash. It must hold that no two balls are assigned to the same location either in the main table or in the stash. Kirsch et al. [39] showed an assignment algorithm that succeeds with probability \(1 - n^{-\Omega (s)}\) over the random bin choices, where \(s\) denotes the stash size.

Without privacy, it is known that such an assignment can be computed in \(O(n)\) time. However, it is also known that the standard procedure for building a Cuckoo hash table leaks information through the algorithm’s access patterns [12, 33, 60]. Goodrich and Mitzenmacher [33] (see also the recent work of Chan et al. [12]¹¹) showed that a Cuckoo hash table can be built obliviously in \(O\left(n \cdot \log n\right)\) total time. In our ORAM construction, we will need to apply Chan et al. [12]’s oblivious Cuckoo hashing techniques in a non-blackbox fashion to enable asymptotically more efficient hashing schemes for randomly shuffled input arrays. Below, we present the necessary preliminaries.

4.6 Oblivious Dictionary

As opposed to the oblivious hash table from Section 4.4, which is a static data structure, an oblivious dictionary is an extension of oblivious hashing, which allows to add only one element at a time into the structure using an algorithm Insert, where Insert is called at most \(n\) times for a pre-determined capacity \(n\). Also, the dictionary supports Lookup and Extract procedures as described in oblivious hashing. Note that there is no specific order in which Insert and Lookup requests have to be made and they could be mixed arbitrarily. Another difference between our hashing notion and the dictionary notion is that the Extract operation outputs all elements, including “visited” elements (while Extract of oblivious hashing outputs only “unvisited” elements). In summary, an oblivious dictionary realizes Functionality 4.16 described below.

4.7 Oblivious Balls-into-Bins Sampling

Consider the ideal functionality \({\mathcal {F}}^{\mathsf {throw\text{-}balls}}_{n,m}\) that throws \(n\) balls into \(m\) bins uniformly at random and outputs the bin loads. A non-oblivious algorithm for this functionality will throw each ball independently at random and will run in ime \(O(n)\). To achieve obliviousness, we need to be able to sample binomials.

Let \({\sf Binomial}(n,p)\) be the binomial distribution parameterized by \(n\) independent trial with success probability \(p\). Let \({\mathcal {F}}^{\mathsf {binomial}}\) be an ideal functionality that samples from \({\sf Binomial}(n,1/2)\) and outputs the result. The standard way to implement \({\mathcal {F}}^{\mathsf {binomial}}\) is to toss \(n\) independent coins, but this takes time \(O(n)\). Since this is too expensive for our purposes, we settle for an approximation using an algorithm of Bringmann et al. [8] (see also [21]).

Here is our implementation of \({\mathcal {F}}^{\mathsf {throw\text{-}balls}}\) using \({\sf SampleApproxBinomial}_\delta\).

If we use \(\delta =0\) in the above algorithm, then \({\sf SampleBinLoad}\) perfectly and obliviously implements \({\mathcal {F}}^{\mathsf {throw\text{-}balls}}\). Using the efficient algorithm for sampling approximated binomials (Theorem 4.18), we get the following theorem.

5.1 Reducing Tight Compaction to Loose Compaction

We first reduce the problem of tight compaction in linear time to loose compaction in linear time. A loose compaction algorithm is parametrized by a sufficiently large constant \(\ell \gt 2\) (which will be chosen in Section 5.2), and the input is an array \({\bf I}\) of size \(n\) that has real and dummy balls. It is guaranteed that the number of reals is at most \(n/\ell\). The expected output of the procedure is an array of size \(n/2\) that contains all the real balls.

From SwapMisplaced to TightCompaction .. The first observation for our tight compaction algorithm is that some balls already reside in the correct place, and only some balls have to be moved. In fact, the number of 0-balls that are “misplaced” equals exactly the number of 1-balls that are misplaced. Specifically, assume that there are \(c\) balls marked 0; all 1 balls in the subarray \({\bf I}[1,\ldots ,c]\) are misplaced, and all 0 balls in \({\bf I}[c+1,\ldots ,n]\) are also misplaced. Notice that the number of misplaced 0 balls equals the number of misplaced 1 balls. Therefore, we have reduced the problem of tight compaction to the problem of swapping misplaced 0 balls with the misplaced 1 balls. The misplaced items will be labeled with red/blue colors. This reduction is described as Algorithm 5.3.

From LooseSwapMisplaced and LooseCompaction to SwapMisplaced .. In SwapMisplaced, we are given \(n\) balls, each is labeled as either \({\sf red}\), \({\sf blue}\) or \(\bot\). It is guaranteed that the number of blue balls equals the number of red balls. Our goal is to obliviously swap the locations of the blue balls with the red balls. To implement SwapMisplaced we use two subroutines, \({\sf LooseCompaction}_\ell\) and \({\sf LooseSwapMisplaced}_\ell\), parametrized with a number \(\ell \gt 2\) that have the following input-output guarantees:

Using these two procedures, SwapMisplaced works by first running \({\sf LooseSwapMisplaced}_\ell\) which makes all the necessary swaps except for at most \(1/\ell\) fraction. We then perform \({\sf LooseCompaction}_\ell\) on the resulting array, moving all the remaining \({\sf red}\) and \({\sf blue}\) balls to the first half of the array. Then, we continue recursively and perform \({\sf SwapMisplaced}\) on the first half of the array. To be able to facilitate the recursion, we record the original placement of the balls and their movements, and revert them in the end. Given a linear time algorithm for \({\sf LooseCompaction}_\ell\) and \({\sf LooseSwapMisplaced}_\ell\) (that we will achieve below), the recursive formula for the running time of the algorithm is \(T(n)=T(n/2)+O(n)\), and therefore is linear. The description of \({\sf SwapMisplaced}\) is given in Algorithm 5.5 and we have the following claim.

Implementing \({\sf LooseSwapMisplaced}_\ell\).. The access pattern of the algorithm is determined by a (deterministically generated) expander graph \(G_{\epsilon ,n} = (L,R,E)\), where the allowed swaps are vertices

of distance 2. That is, we interpret \(L = R= [n]\); if two vertices \(i,k \in R\) have some common neighbor \(j \in L\), and \({\bf I}[i],{\bf I}[k]\) are both marked with different colors, then we swap them and change their mark to \(\bot\). Choosing the expansion parameters of the graph appropriately guarantees that after performing these swaps, there are at most \(n/\ell\) misplaced balls. As the graph is \(d\)-regular, there are at most \({d \choose 2}\cdot n\) neighbors of distance 2, and since \(d=O(1)\), the total running time is \(O(n)\).

5.2 Loose Compaction

In Section 5.2.1, we describe the algorithm \({\sf CompactionFromMatching}\)—compacting an array given the required matching (via “folding”). In Section 5.2.2, we show how to compute the matching, both for the case where \(m\) is “big” (\(\mathsf {SlowMatch}\)) and when \(m\) is “small” (\(\mathsf {FastMatch}\)). In Section 5.2.3, we present the full loose compaction algorithm.

5.2.1 Compaction from Matching.

We show that with the appropriate notion of matching (given below), one can “fold” an array \(A\), with a density of real balls being small enough, such that all the real balls reside in the output array of size \(n/2\).

Definition 5.8

((B, B/4)-Matching)

Let \(G = (L, R, E)\) be a bipartite graph, and let \(S \subseteq L\) and \(M \subseteq E\). Given any vertex \(u \in L \cup R\), define \(\Gamma _M(u) := \lbrace v \in L \cup R \mid (u,v) \in M\rbrace\) as the subset of neighboring vertices in \(M\). We say that \(M\) is a \((B,B/4)\)-matching for \(S\), iff (i) for every \(u \in S\), \(|\Gamma _M(u)| \ge B\), and; (ii) for every \(v \in R\), \(|\Gamma _M(v)| \le B/4\).

In Algorithm 5.9, we show how to compact an array given a \((B,B/4)\)-matching for the set of all dense bins \(S\), where a bin is said to be dense if it contains more than \(B/4\) real balls. We assume that the matching itself is given to us via an algorithm \({\sf ComputeMatching}_{G}(S)\). The implementation of \({\sf ComputeMatching}_{G}(\cdot)\) is given in Section 5.2.2. Note that for any problem size \(m \lt 2B\), it suffices to perform oblivious sorting (e.g., Theorem 4.1) instead of the following algorithm as \(B\) is a constant.

Given that \(|E|=O(m)\) and \(B\) is a constant, the running time is linear in \(\lceil D/w\rceil \cdot m\). Also, there are at most \(\frac{m}{B} \cdot \frac{1}{32}\) dense bins as the total number of real balls is at most \(\frac{m}{128}\) (i.e., \(|S| \le \frac{m}{32B}\)), so \(M\) is a \((B,B/4)\)-matching by \({\sf ComputeMatching}\), as we will show later in Claim 5.16. Hence, correctness holds. As for correctness, the \((B,B/4)\) matching \(M\) guarantees that every vertex in the right vertices of \(G\) contains at most \(B/4\) real elements. As a result, after the distribute phase, all bins in the entire graph contain at most \(B/4\) real elements, and we can fold the array without having any overflow. The following claim is immediate.

Claim 5.10.

Let \({\bf I}\) be an array of \(m\) balls, where each ball is of size \(D\) bits, and where at most \(m /128\) balls are marked real. Then, the output of \({\sf CompactionFromMatching}_{D}({\bf I})\) is an array of \(m/2\) balls that contains all real balls in \({\bf I}\). The running time of the algorithm is \(O(\lceil D/w\rceil \cdot m)\) plus the running time of \({\sf ComputeMatching}_{G_{\epsilon ,m/B}}\).

5.2.2 Computing the Matching.

To compute the matching, we have two cases to consider, depending on the size of the input, and each algorithm results in a different running time.

Case I: \(\mathsf {SlowMatch}\)\((\frac{m}{B} \gt \frac{w}{\log w})\).. We transform the non-oblivious algorithm described in the overview, that runs in time \(O(m)\), into an oblivious algorithm, by performing fake accesses. This results in an algorithm that requires \(O(m \cdot \log m)\) time [14]. The bolded instructions in \(\mathsf {SlowMatch}_{G_{\epsilon ,m/B}}(S)\) are the ones where we pay the extra \(\log m\) factor in efficiency; these accesses will be avoided in Case II (\(\mathsf {FastMatch}\)).

In the following claim, we show that the size of \(L^{\prime }\) decreases by a constant factor in every iteration which implies that the algorithm finishes after \(\log (m/B)\) iterations. This means that \(\mathsf {SlowMatch}\) outputs a correct \((B,B/4)\)-matching for \(S\) in time \(O(m \cdot \log m)\) (see Claim 5.14).

Claim 5.13.

Let \(S \subset L\) such that \(|S| \le m/(32B)\), and let \(\epsilon = \frac{1}{64}\). In each iteration of Algorithm 5.12, the number of unsatisfied vertices \(|L^{\prime }|\) decreases by a factor of 2.

Proof.

Let \(L^{\prime }\) be the set of unsatisfied vertices at beginning of any given round, let \(R^{\prime }_{\sf neg} \subseteq R^{\prime } \subseteq \Gamma (L^{\prime })\) be the set of neighbors such that reply negative, and let \(m^{\prime } = m/B\). Then, \(e(L^{\prime }, R^{\prime }_{\sf neg}) \gt |R^{\prime }_{\sf neg} |\cdot B/4\). From the expansion property in Theorem 5.2, we obtain \(|R^{\prime }_{\sf neg}|\cdot B/4 \lt e(L^{\prime },R^{\prime }_{\sf neg}) \le d_\epsilon |L^{\prime }||R^{\prime }_{\sf neg}|/m^{\prime }+\epsilon d_\epsilon \sqrt {|L^{\prime }||R^{\prime }_{\sf neg}|}\); dividing by \(|R^{\prime }_{\sf neg}|d_\epsilon\) and rearranging this becomes \(\epsilon \sqrt {|L^{\prime }|/|R^{\prime }_{\sf neg}|} \gt B/(4d_\epsilon)-|L^{\prime }|/m^{\prime }\). We chose \(B\) as the largest power of 2 that is no larger than \(d_\epsilon /2\), and so \(B /d_\epsilon \gt 1/4\). Since \(|L^{\prime }|/m^{\prime }\le 1/32\) (recall that \(L^{\prime }\) is initially \(S\), and the number of dense vertices, \(|S|\), is at most \(m/(32B)\)), and since \(\epsilon = \frac{1}{64}\), we have that: \(\begin{align*} \sqrt {|L^{\prime }|/|R^{\prime }_{\sf neg}|} \gt \frac{1}{\epsilon }\cdot \frac{B}{4d_\epsilon }-\frac{1}{\epsilon }\cdot \frac{|L^{\prime }|}{m^{\prime }} \gt \frac{1}{\epsilon }\cdot \left(\frac{1}{16} - \frac{1}{32}\right)\!, \end{align*}\) then \(\sqrt {|L^{\prime }|/|R^{\prime }_{\sf neg}|} \ge 64/16 - 64/32\), i.e., \(|{R^{\prime }_{\sf neg}}| \le |L^{\prime }|/4\).

We conclude that the number of vertices in \(R^{\prime }\) that reply negatively is at most \(|L^{\prime }|/4\). As \(L^{\prime }\) has \(d_\epsilon |L^{\prime }|\) outgoing edges, and \(R^{\prime }_{\sf neg}\) has at most \(d_\epsilon |R^{\prime }_{\sf neg}| \le d_\epsilon |L^{\prime }|/4\) incoming edges, at most one quarter of edges in \(L^{\prime }\) lead to \(R^{\prime }_{\sf neg}\) and yield a negative reply. Since \(d_\epsilon =B/2\) and every vertex in \(L^{\prime }\) sends \(d_\epsilon\) requests and all negative are from \(R^{\prime }_{\sf neg}\), there are at most \(d_\epsilon |L^{\prime }|/4\) negative replies, and therefore at most \(|L^{\prime }|/2\) nodes in \(L^{\prime }\) get more than \(B=d_\epsilon /2\) negatives. We conclude that at least \(|L^{\prime }|/2\) nodes become satisfied.□

Claim 5.14.

Let \(S \subset L\) such that \(|S| \le m/(32B)\), and let \(\epsilon = \frac{1}{64}\). Then, \(\mathsf {SlowMatch}_{ G_{\epsilon , m/B}}\) takes as input \(S\), runs obliviously in time \(O(m \cdot \log m)\), and outputs a \((B, B/4)\)-matching for \(S\).

Proof.

The runtime follows by there are \(\log \frac{m}{B}\) iterations and each iteration takes \(O(m)\) time. Obliviousness follows since the access pattern is a deterministic function of the graph \(G_{\epsilon , m/B}\), which depends only on the parameter \(m\) (but not on the input \(S\)). We argue correctness next. By Step 3(c)ii, every removal of vertex \(u\) from \(L^{\prime }\) has at least \(B\) edges in the output \(M\). Also, the edge added to \(M\) must have a vertex in \(R^{\prime }\) that has at most \(B/4\) requests at Step 3(b)ii. Observing that the set of received requests at Step 3(b)ii is non-increasing over iterations, it follows that for every \(v \in R\), \(\Gamma _M(v) \le B/4\). By Claim 5.13, after \(\log (m/B)\) iterations, we have \(L^{\prime } = \emptyset\), and hence every \(u \in S\) has at least \(B\) edges in \(M\).□

Case II: \(\mathsf {FastMatch}\)\((\frac{m}{B} \le \frac{w}{\log w})\).. Here, we improve the running time by relying on the fact that for instances where \(m\) is really small (as above), the number of words needed to encode the whole graph is really small (i.e., constant). While obliviousness is obtained again by accessing the whole graph, this time it will be much cheaper as we will be able to read the whole graph while accessing a small number of words. The algorithm is described in Algorithm 5.15. Note that whenever we write, e.g., “access \({\sf Reply}[v]\)”, we actually access the whole array \({\sf Reply}\) as it is \(O(1)\) words, and do not reveal which vertex we actually access. Thus, each iteration takes time \(O(|L^{\prime }|+|R^{\prime }|)\), and since the size of \(|L^{\prime }|\) is reduced by a factor of 2 in each iteration (and since \(|R^{\prime }|\le d_{\epsilon }\cdot |L^{\prime }|\)), we perform \(O(m)\) time in total. Additionally, note that we store the set \(L^{\prime }\) as a set (i.e., a list) and not as a bit vector, as we cannot afford the \(O(m)\) time required to run over all balls of \(L\) and then ask whether the element is in \(L^{\prime }\).

Claim 5.16.

Given the public \(d_\epsilon\)-regular bipartite graph \(G_{\epsilon ,m/B} = (L,R,E)\) such that \(B = d_\epsilon / 2\), let \(S \subseteq L\) be a set such that \(|S| \le \frac{m}{32 B}\). Then, \({\sf ComputeMatching}_{G_{\epsilon ,m/B}}(S)\) outputs a \((B,B/4)\)-matching for \(S\), where the running time is \(O(m)\) if \(\frac{m}{B} \le \frac{w}{\log w}\), and \(O(m \cdot \log m)\) otherwise.

Proof.

The correctness follows from Claim 5.14 and the time bound follows from the time of \(\mathsf {FastMatch}\) and \(\mathsf {SlowMatch}\) in both cases.□

5.2.3 Oblivious Loose Compaction.

By combining Claims 5.16 and 5.10 we get the following corollary.

Corollary 5.17.

The total running time of \({\sf CompactionFromMatching}_{D}\) on an array of \(m\) elements each of size \(D\) bits is \(O(\lceil D/w\rceil \cdot m)\) if \(m \le \frac{w}{\log w}\), and \(O(\lceil D/w\rceil \cdot m + m \cdot \log m)\) otherwise.

The next algorithm shows how to compute \({\sf LooseCompaction}_\ell ({\bf I})\) for any input array \({\bf I}\) in which there are at most \(| {\bf I}| /\ell\) elements that are marked.

Theorem 5.19.

Let \(\ell = 2^{38}\). For any input array \({\bf I}\) with \(n\) balls such that each ball consists of \(D\) bits and with at most \(n/\ell\) real balls, the procedure \({\sf LooseCompaction}_{\ell }({\bf I})\) outputs an array of size \(n/2\) consisting of all real balls in \({\bf I}\), and runs in time \(O(\lceil {D/w} \cdot n)\).

Proof.

To show the correctness, we check that in all cases, both \({\sf CompactionFromMatching}\) and \({\sf LooseCompaction}_\ell\) are called with an input array \({\bf I}\) such that at most \(|{\bf I}| / 128\) balls are real so that the correctness is implied by Claim 5.10 (henceforth referred to as the 128-condition). We proceed by checking the 128-condition for each case in \({\sf LooseCompaction}_\ell\). Note that \(2^{38} = (2 \cdot (2 \cdot 128)^2)^2\).¹⁴

—	Case I: It is always called with \(\ell = 2^{38}\). At Step 2, note that the number of dense blocks is at most \(\frac{n}{{\mu }}\cdot \frac{1}{\sqrt {\ell }}\) as the total number of real balls is at most \(\frac{n}{\ell }\). Hence, the two \({\sf CompactionFromMatching}\) takes as input at most \((\frac{n}{{\mu }}) / \sqrt {\ell }\) and then \((\frac{n}{2{\mu }}) / (\sqrt {\ell } / 2)\) dense blocks, and the 128-condition holds as \(\sqrt {\ell } / 2 = (2 \cdot 128)^2 \gt 128\). The two \({\sf LooseCompaction}_{\sqrt {\ell } / 2}\) takes at most \({\mu }/ \sqrt {\ell }\) and \((\frac{{\mu }}{2}) / (\sqrt {\ell } / 2)\) real balls as each block is not dense, and then the 128-condition holds for \(\sqrt {\ell }\) and \(\sqrt {\ell } / 2\) similarly.
—	Case II: It can be either called directly with \(\ell = 2^{38}\), or called indirectly from Case I with \(\ell = (2 \cdot 128)^2\). Hence, the number of real is at most \(n / (2 \cdot 128)^2\). By the same calculation as Case I, the two \({\sf CompactionFromMatching}\) and two \({\sf LooseCompaction}_{\sqrt {\ell } / 2}\) take an input array such that the sparsity is at least \(\sqrt {(2 \cdot 128)^2} / 2 = 128\), and the 128-condition holds.
—	Case III: Similar to Case II, it can be called directly, indirectly from Case I, or indirectly from Case II with \(\ell = 2^{38}, (2 \cdot 128)^2\), or 128 respectively. Hence, the given sparsity \(\ell\) is at least 128, and hence the 128-condition holds directly for \({\sf CompactionFromMatching}\).

To show the time complexity, observe that, except for \({\sf CompactionFromMatching}\), all other procedures run in time \(O(n)\). By Corollary 5.17, running \({\sf CompactionFromMatching}\) on \(m\) items of size \(D\) bits takes \(O(\lceil D/w\rceil \cdot m)\) time if \(m \le \frac{w}{\log w}\), or \(O(\lceil D/w\rceil \cdot m + m \cdot \log m)\) otherwise. For any \(n\), the depth of the recursive call to \({\sf LooseCompaction}\) is at most 2. Hence, it suffices to show that in each case, every \({\sf CompactionFromMatching}\) run in \(O(\lceil D / w\rceil \cdot n)\) time. We proceed from Case III back to I.

—	Case III: Since \(n \lt \frac{w}{\log w}\), the \({\sf CompactionFromMatching}_D\) takes an input size \(m = n \lt \frac{w}{\log w}\) runs in \(O(\lceil D/w\rceil \cdot n)\) time by Corollary 5.17.
—	Case II: Given that \(n \lt (\frac{w}{\log w})^2\), the subsequent \({\sf CompactionFromMatching}_{D\cdot p}\) takes input size \(m = \frac{n}{p} \lt \frac{w}{\log w}\). Hence, its running time is \(O(\lceil D\cdot p/w\rceil \cdot m) = (\lceil D/w\rceil \cdot n)\), as in Case III.
—	Case I: For arbitrary \(n\), the subsequent invocation of \({\sf CompactionFromMatching}_{D\cdot p^2}\), in Steps 3 and 4, takes an input size \(m = n / p^2\) and then \(m / 2\). By Corollary 5.17, in both cases, the procedure runs in time \(O(\lceil D \cdot p^2 / w\rceil \cdot m + m \cdot \log m) = O(\lceil D / w\rceil \cdot n + (n/p^2) \cdot \log n)\). Since Case I is the starting point of the algorithm, by the standard RAM model, we have that \(w = \Omega (\log n)\), which implies that \(n/p^2 = O(n / \log n)\) as \(p = w/\log w\). Thus, the total time is bounded by \(O(\lceil D / w\rceil \cdot n)\).

□

Plugging \({\sf LooseCompaction}_{2^{38}}\) into \({\sf SwapMisplaced}\), by Claim 5.4 and Theorem 5.19, we have the linear-time tight compaction claimed in Theorem 5.1.

5.3 Oblivious Distribution

In oblivious distribution, the input is an array \({\bf I}\) of \(n\) balls and a set \(A \subseteq [n]\) such that each ball in \({\bf I}\) is labeled as 0 or 1 and the number of 0-balls is equal to \(|A|\). The output is a permutation of \({\bf I}\) such that for each \(i \in [n]\), the \(i\)th location is a 0-ball if and only if \(i \in A\). By marking \({\sf red}, {\sf blue},\) or \(\bot\) correspondingly, \({\sf SwapMisplaced}\) achieves oblivious distribution as elaborated in Algorithm 5.20, where the set \(A\) is represented as an array of \(n\) indicators such that \(i \in A\) iff \(A[i] = 0\).

The correctness, security, and time complexity of \({\sf Distribution}\) follow directly from those of \({\sf SwapMisplaced}\), and this gives the following theorem.

6.1 Interspersing Two Arrays

We first describe a building block called \({\sf Intersperse}\) that allows us to randomly merge two randomly shuffled arrays. Informally, we would like to realize the following abstraction:

Looking ahead, we will invoke the procedure \({\sf Intersperse}\) with arrays \({\bf I}_0\) and \({\bf I}_1\) that are already randomly and independently shuffled (each with a hidden permutation). So, when we apply \({\sf Intersperse}\) on such arrays the output array \({\bf B}\) is guaranteed to be a random permutation of the array \({\bf I} ~{\sf :=}~ {\bf I}_0 \Vert {\bf I}_1\) in the eyes of an adversary.

The intersperse algorithm.. The idea is to first generate a random auxiliary array of 0’s and 1’s, denoted \({\sf Aux}\), such that the number of 0’s in the array is exactly \(n_0\) and the number of 1’s is exactly \(n_1\). This can be done obliviously by sequentially sampling each bit depending on the number of 0’s we sampled so far (see Algorithm 6.1). \({\sf Aux}\) is used to decide the following: if \({\sf Aux}[i]=0\), then the \(i\)th position in the output will pick up an element from \({\bf I}_0\), and otherwise, from \({\bf I}_1\).

Next, to obliviously route elements from \({\bf I}_0\) (and \({\bf I}_1\), respectively) to the \(i\)th position such that \({\sf Aux}[i]=0\) (and \({\sf Aux}[i]=1\), respectively), it is performed using the deterministic oblivious distribution given in Section 5.3—mark every element in \({\bf I}_0\) as 0-balls, mark every element in \({\bf I}_1\) as 1-balls, and then run \({\sf Distribution}\) (Algorithm 5.20) on the marked array \({\bf I}= {\bf I}_0 \Vert {\bf I}_1\) and the auxiliary array \({\sf Aux}\).

The formal description of the algorithm for interspersing two arrays is given in Algorithm 6.1. The functionality that it implements (assuming that the two input arrays are randomly shuffled) is given in Functionality 6.2 and the proof that the algorithm implements the functionality is given in Claim 6.3.

The proof of this claim is deferred to Appendix C.2.

6.2 Interspersing Multiple Arrays

We generalize the Intersperse algorithm to work with \(k\in \mathbb {N}\) arrays as input. The algorithm is called \({\sf Intersperse}^{(k)}\) and it implements the following abstraction:

As in the case of \(k=2\), we will invoke the procedure \({\sf Intersperse}^{(k)}\) with arrays \({\bf I}_1,\ldots ,{\bf I}_k\) that are already randomly and independently shuffled (with \(k\) hidden permutations). So, when we apply \({\sf Intersperse}^{(k)}\) on such arrays the output array \({\bf B}\) is guaranteed to be a random permutation of the array \({\bf I} ~{\sf :=}~ {\bf I}_1 \Vert \ldots \Vert {\bf I}_k\) in the eyes of an adversary.

The algorithm.. To intersperse \(k\) arrays \({\bf I}_1,\ldots ,{\bf I}_k\), we intersperse the first two arrays using \({\sf Intersperse}_{n_1+n_2}\), then intersperse the result with the third array, and so on. The precise description is given in Algorithm 6.4.

We prove that this algorithm obliviously implements a uniformly random shuffle.

The proof of this claim is deferred to Appendix C.2.

6.3 Interspersing Reals and Dummies

We describe a related algorithm, called \({\sf IntersperseRD}\), which will also serve as a useful building block. Here, the abstraction we implement is the following:

In other words, the real elements are randomly permuted, but there is no guarantee regarding their order in the array with respect to the dummy elements. In particular, the dummy elements can appear in arbitrary (known to the adversary) positions in the input, e.g., appear all in the front, all at the end, or appearing in all the odd positions. The output will be an array where all the real and dummy elements are randomly permuted, and the random permutation is hidden from the adversary.

The implementation of \({\sf IntersperseRD}\) is done by first running the deterministic tight compaction procedure on the input array such that all the real balls appear before the dummy ones. Next, we count the number of real elements in this array run the Intersperse procedure from Algorithm 6.1 on this array with the calculated sizes. The formal implementation appears as Algorithm 6.6.

We prove that this algorithm obliviously implements a uniformly random shuffle.

The proof of this claim is deferred to Appendix C.2.

6.4 Perfect Oblivious Random Permutation (Proof of Theorem 4.6)

Recall that an oblivious random permutation shuffles an input array of \(n\) elements using a secret permutation \(\pi :[n] \rightarrow [n]\) uniformly at random (Section 4.2). The following (perfect) oblivious random permutation, \({\sf PerfectORP}\), is constructed with a standard divide-and-conquer technique using \({\sf Intersperse}\) for merging.

We argue that \({\sf PerfectORP}\) runs in \(O(n\cdot \log n)\) time and permutes \({\bf I}\) uniformly at random. The time bound follows since \({\sf Intersperse}\) runs in \(O(n)\) time (Claim 6.3) and the recursion consists of 2 sub-problems, each of half the size. The fact that the permutation is uniformly random follows by induction and that \({\sf Intersperse}\) perfectly-obliviously implements \({{\mathcal {F}}_{\sf Shuffle}^{n}}\) (Claim 6.3).

8.1 Step 1 – Add Dummies and Shuffle

We are given a randomly shuffled array \({\bf I}\) of length \(n\) that contains real and dummy elements. In Algorithm 8.1, we pad the input array with dummies to match the size of the hash-table to be built. Each dummy will receive a unique index label, and we rely on packed oblivious random permutation to permute the labeled dummies. Finally, we rely on Intersperse on the real balls to make sure that all elements, including reals and dummies, are randomly shuffled.

More formally, the output of Algorithm 8.1 is an array of size \({n_{\sf cuckoo}}= {\sf c_{\sf cuckoo}}\cdot n + \log \lambda\), where \({\sf c_{\sf cuckoo}}\) is the constant required for Cuckoo hashing, which contains all the real elements from \({\bf I}\) and the rest are dummies. Furthermore, each dummy receives a distinct random index from \(\lbrace 1,\ldots ,{n_{\sf cuckoo}}- n_R\rbrace\), where \(n_R\) is the number of real elements in \({\bf I}\). Assuming that the real elements in \({\bf I}\) are a-priori uniformly shuffled, then the output array is randomly shuffled.

8.2 Step 2 – Evaluate Assignment with Metadata Only

We obliviously emulate the Cuckoo hashing procedure, but doing it directly on the input array is too expensive (as it incurs oblivious sorting inside) so we do it directly on metadata (which is short since there are few elements), and use the packed version of oblivious sort (Theorem 4.2). At the end of this step, every element in the input array should learn which bin (either in the main table or the stash) it is destined for. Recall that the Cuckoo hashing consists of a main table of \({\sf c_{\sf cuckoo}}\cdot n\) bins and a stash of \(\log \lambda\) bins.

Our input for this step is an array \({\bf MD}_{\bf X}\) of length \({n_{\sf cuckoo}}:= {\sf c_{\sf cuckoo}}\cdot n + \log \lambda\) which consists of pairs of bin choices \(({\sf choice}_1, {\sf choice}_2)\), where each choice is an element from \([{\sf c_{\sf cuckoo}}\cdot n] \cup \lbrace \bot \rbrace\). The real elements have choices in \([{\sf c_{\sf cuckoo}}\cdot n]\) while the dummies have \(\bot\). This array corresponds to the bin choices of the original elements in \({\bf X}\) (using a PRF) which is the original array \({\bf I}\) after adding enough dummies and randomly shuffling that array.

To compute the bin assignments we start with obliviously assigning the bin choices of the real elements in \({\bf MD}_{\bf X}\). Next, we obliviously assign the remaining dummy elements to the remaining available locations. We do so by a sequence of oblivious sort algorithms. See Algorithm 8.3.

8.3 SmallHT Construction

The full description of the construction is given next. It invokes Algorithms 8.1 and 8.3.

We prove that our construction obliviously implements Functionality 4.7 for every sequence of instructions with non-recurrent lookups between two \({\sf Build}\) operations, assuming that the input array for \({\sf Build}\) is randomly shuffled.

8.4 CombHT: Combining BigHT with SmallHT

We use \({\sf SmallHT}\) in place of \({{\sf naïveHT}}\) for each of the major bins in the \({\sf BigHT}\) construction from Section 7. Since the load in the major bin in the hash table BigHT construction is indeed \(n=\log ^{9}\lambda\), this modification is valid. Note that we still assume that the number of elements in the input to \({\sf CombHT}\), is at least \(\log ^{11} \lambda\) (as in Theorem 7.2).

However, we make one additional modification that will be useful for us later in the construction of the ORAM scheme (Section 9). Recall that each instance of \({\sf SmallHT}\) has a stash \({\sf S}\) of size \(O(\log \lambda)\) and so \({\sf Lookup}\) will require, not only searching an element in the (super-constant size) stash \({\sf OF}_{\sf S}\) of the overflow pile from \({\sf BigHT}\), but also linearly scanning the super-constant size stash of the corresponding major bin. To this end, we merge the different stashes of the major bins and store the merged list in an oblivious Cuckoo hash (Section 4.5). (A similar idea has also been applied in several prior works [15, 33, 35, 40].) This results in a new hash table scheme we call \({\sf CombHT}\).

If we use the earlier Corollary 7.3 to instantiate the \({\sf BigHT}\), we can generalize the above theorem to the following corollary: