Oblivious RAM : from theory to practice
Author(s)
Fletcher, Christopher W. (Christopher Wardlaw)
DownloadFull printable version (14.12Mb)
Other Contributors
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Advisor
Srinivas Devadas.
Terms of use
Metadata
Show full item recordAbstract
Privacy of data storage has long been a central problem in computer security, having direct implications for many Internet-era applications such as storage/computation outsourcing and the Internet of Things (IoT). Yet, the prevailing way we protect our data - through encryption techniques - doesn't protect where we read or write in our data. This additional information, the access pattern, can be used to reverse-engineer proprietary programs as they run, reveal a user's physical location or health information, and more, even if data is correctly encrypted. This thesis studies a cryptographic primitive called Oblivious RAM (ORAM) which provably hides a client's access pattern as seen by untrusted storage. While ORAM is very compelling from a privacy standpoint, it incurs a large performance overhead. In particular, ORAM schemes require the client to continuously shuffle its data in untrusted storage. Early work on ORAM proves that this operation must incur a client-storage bandwidth blowup that is logarithmic in the dataset size, which can translate to > 100x in practice. We address this challenge by developing new tools for constructing ORAMs that allow us to achieve constant bandwidth blowup while requiring only small client storage. A reoccurring theme is to grant untrusted storage the ability to perform untrusted computation on behalf of the client, thereby circumventing lower bound results from prior work. Using these tools, we construct a new ORAM called Ring ORAM, the first small client storage ORAM to achieve constant online bandwidth blowup. At the same time, Ring ORAM matches or improves upon the overall bandwidth of all prior ORAM schemes (given equal client storage), up to constant factors. Next, we more heavily exploit computation at the storage to construct Onion ORAM, the first scheme with constant worst-case and overall bandwidth blowup that does not require heavy weight cryptographic primitives such as fully homomorphic encryption (FHE). Instead, Onion ORAM relies on more efficient additively or somewhat homomorphic encryption schemes. Finally, we demonstrate a working ORAM prototype, built into hardware and taped-out in 32 nm silicon. We have deployed the design as the on-chip memory controller for a 25 core processor. This proves the viability of a single-chip secure processor that can prevent software IP or data theft through a program's access pattern to main memory (having applications to computation outsourcing and IoT). From a technical perspective, this work represents the first ORAM client built into silicon and the first hardware ORAM with small client storage, integrity verification, or encryption units. We propose a number of additional optimizations to improve performance in the hardware setting.
Description
Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016. Cataloged from PDF version of thesis. Includes bibliographical references (pages 117-122).
Date issued
2016Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
Massachusetts Institute of Technology
Keywords
Electrical Engineering and Computer Science.