Skip to main content
QUICK REVIEW

[论文解读] CacheShuffle: A Family of Oblivious Shuffles

Sarvar Patel, Giuseppe Persiano|arXiv (Cornell University)|May 19, 2017
Cryptography and Data Security参考文献 19被引用 2
一句话总结

本文提出了CacheShuffle,一类无偏置混淆洗牌算法,可在保护安全性的前提下最小化带宽开销,抵御能够获知最多K个块访问模式的敌手。通过利用客户端缓存和多项式插值,所提出的KCacheShuffle算法实现了最优带宽使用——2N + f(K)个块,其中f(K)仅依赖于K,相较于先前工作实现显著改进,尤其在包含虚拟块的实用ORAM构造中表现突出。

ABSTRACT

We consider Oblivious Shuffling and K-Oblivious Shuffling, a refinement thereof. We provide efficient algorithms for both and discuss their application to the design of Oblivious RAM. The task of K-Oblivious Shuffling is to obliviously shuffle N encrypted blocks that have been randomly allocated on the server in such a way that an adversary learns nothing about the new allocation of blocks. The security guarantee should hold also with respect to an adversary that has learned the initial position of K touched blocks out of the N blocks. The classical notion of Oblivious Shuffling is obtained for K = N. We present a family of algorithms for Oblivious Shuffling. Our first construction, CacheShuffleRoot, is tailored for clients with $O(\sqrt{N})$ blocks of memory and uses $(4+ε)N$ blocks of bandwidth, for every $ε> 0$. CacheShuffleRoot is a 4.5x improvement over previous best known results on practical sizes of N. We also present CacheShuffle that obliviously shuffles using O(S) blocks of client memory with $O(N\log_S N)$ blocks of bandwidth. We then turn to K-Oblivious Shuffling and give algorithms that require 2N + f(K) blocks of bandwidth, for some function f. That is, any extra bandwidth above the 2N lower bound depends solely on K. We present KCacheShuffleBasic that uses O(K) client storage and exactly 2N blocks of bandwidth. For smaller client storage requirements, we show KCacheShuffle, which uses O(S) client storage and requires $2N+(1+ε)O(K\log_S K)$ blocks of bandwidth. Finally, we consider the case in which, in addition to the N blocks, the server stores D dummy blocks whose content is is irrelevant but still their positions must be hidden by the shuffling. For this case, we design algorithm KCacheShuffleDummy that, for N + D blocks and K touched blocks, uses O(K) client storage and $D+(2+ε)N$ blocks of bandwidth.

研究动机与目标

  • 设计高效的无偏置洗牌算法,以隐藏远程存储系统中的访问模式。
  • 解决K-无偏置洗牌问题,即敌手可知晓K个被访问块的初始位置,但无法推断其新分配位置。
  • 降低Oblivious RAM(ORAM)构造中的带宽开销,尤其在存在虚拟块时。
  • 通过最小化带宽和客户端存储需求中的隐藏常数,提升实际ORAM的性能。

提出的方法

  • 提出CacheShuffleRoot,一种使用O(√N)客户端内存和(4 + ϵ)N带宽的洗牌算法,失败概率可忽略不计。
  • 引入RSpray作为原 primitive,用于将块分布到客户端内存中,以实现O(S)客户端存储下的高效洗牌。
  • 设计KCacheShuffleBasic,使用O(K)客户端存储,恰好消耗2N带宽,确保K-无偏置性。
  • 开发KCacheShuffle,适用于更小的客户端存储(O(S)),带宽需求为2N + (1 + ϵ)O(K logS K),其中ϵ带来额外开销。
  • 提出KCacheShuffleDummy以处理N + D个块(含D个虚拟块),使用O(K)存储和D + (2 + ϵ)N带宽。
  • 采用多项式插值技术,在洗牌过程中安全隐藏虚拟块的位置。

实验结果

研究问题

  • RQ1即使K > 1,能否实现接近理论下限2N个块的带宽开销的无偏置洗牌?
  • RQ2在保持安全性和低带宽的前提下,如何最小化K-无偏置洗牌中的客户端存储?
  • RQ3能否高效处理虚拟块的存在,而不会使带宽超出一个微小的加法项?
  • RQ4在真实世界的ORAM工作负载中,新算法相较于MelbourneShuffle等先前构造的实际性能提升如何?
  • RQ5带宽和客户端内存中的隐藏常数在实际数据规模下如何变化?

主要发现

  • CacheShuffleRoot将带宽降低至(4 + ϵ)N个块,相较于MelbourneShuffle的(10 + c)N带宽,在实际N值下实现4.5倍性能提升。
  • KCacheShuffleBasic使用恰好2N带宽和O(K)客户端存储,相较于MelbourneShuffle在K = N时实现9倍性能提升。
  • KCacheShuffleDummy对N + D个块(含D个虚拟块)仅需D + (2 + ϵ)N带宽,其中ϵ在实际数据规模下极小。
  • 实验表明,CacheShuffleRoot中ϵ < 1即足够,而MelbourneShuffle要求c ≥ 8,证实了4倍带宽优势。
  • CacheShuffleRoot中客户端缓存的最大大小在多次试验中迅速稳定,并随ϵ增大呈指数下降。
  • 在包含虚拟块的ORAM场景中,带宽节省尤为显著,KCacheShuffleDummy相较先前构造将开销降低超过5倍。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。