1

Oblivious RAM: A Review

Name

Course
Professor
Date
 2

Abstract

Remote storage and data access are increasing trends in the computing industry.

However, this remote access and storage bring in a plethora of issues regarding the privacy and

security of the stored data. Data encryption is one of the main solutions to this issue. However,

while encryption is effective in securing the stored data, there remain loopholes that adversaries

can manipulate to get access to other confidential details and information. This is mostly through

the recorded access flow and pattern of users. To solve this issue, Oblivious RAM technology is

introduced to conceal and protect any information that can be deduced from access logs and

patterns. ORAM technology, therefore, hides the instructions or operations carried out on a piece

of data and shuffles the access details hiding information on when or how often data was

accessed. This, therefore, accompanied by encryption ensures that remote data storage and

access are secured as best as they can be from unauthorized access. This paper will take a deeper

look into Oblivious RAMs.

Keywords: Oblivious RAM, ORAM, Encryption, Path ORAM, Server, Client

 3

Contents
Abstract......................................................................................................................................................2
Introduction...............................................................................................................................................3
Background Research...............................................................................................................................4
History of ORAMs.....................................................................................................................................5
Path ORAM...........................................................................................................................................6
Ring ORAM...........................................................................................................................................8
Literature Review......................................................................................................................................8
Conclusion................................................................................................................................................10
References................................................................................................................................................11
 4

Introduction

Cloud computing is one of the many rising trends in the ICT industry. An ever-increasing

number of companies, as well as individuals, are opting for the cloud as the platform of choice

for their IT and data infrastructure needs. Some of these cloud services are availed by service

providers such as Microsoft Azure and Amazon cloud among others (Chang et al., 2016).

However, as efficient as cloud services are, they are plagued with several demerits. One of them,

probably the most significant is the security of the data. This is because cloud technology

increases the instances in which data can be stolen or tampered with. Data can be stolen in the

local storage infrastructures (storage servers), during transit (uploading or downloading), or at

the internet-server boundary.

There are several ways to solve this issue of data theft, loss, and an interception in

outsourced storage and computation services. However, the most natural and common starting

point to solve the issue is through encryption (Fletcher, 2016). Encryption converts the data in

question into a code thus preventing unauthorized access. A common and efficient type of

encryption in this scenario would be client-side encryption. Here, encryption defines two parties,

the untrusted storage server and the client who is trusted. Therefore, data stored in the server, can

not be decrypted by the server or any other users without the necessary decryption key.

However, while encryption does protect the data, it fails spectacularly in protecting other aspects

involved in the access of the data. Therefore, the access pattern is vulnerable, and can effectively

be used by outsiders to retrieve secret information.

Therefore, to protect the data that can be retrieved from exposed access patterns,

Oblivious RAMs (ORAMs) are used. An Oblivious RAM (ORAM) is an interface between the

physical RAM (client) and the program (servers in cases of outsourced storage). With ORAM,
 5

read and write operations are carried out simultaneously, therefore, hiding information on

whether the client or user was reading or writing. The ORAM is also responsible for shuffling

the access details often and randomly. This ensures that adversaries cannot know how often or

frequently you accessed data. Therefore, the ORAM efficiently protects the data as well as its

access patterns.

Background Research

According to Chang et al. (2016), ORAMs were proposed by Goldreich and Ostrovsky.

According to them, their key motivation was to protect software from unauthorized parties who

can observe the memory access patterns of a user. Essentially, Oblivious Random Access

Machines (ORAMs) are compilers. This is in that they turn any program into another program

maintaining its functionality completely but in a way that the access patterns of the ‘new’

program are viewed as independent from the original one (Gagliardoni, 2020). Therefore,

ORAM acts as more of a simulator that the user or client (CPU) views as a memory interface.

The workflow of an ORAM scheme generally looks like the following. First, given the

location or index of a data subset in a remote database, access the subset or the location where it

is stored. The second step is downloading the given data to the location (Gagliardoni, 2020).

Decrypt the download and perform the desired operations on the data (read or write). The fourth

step is shuffling of the elements in the data subset operated on. The CPU on the client end will

keep track of the element positions using an internal state. The fifth step s re-encrypting the data

using the same key and code as before then re-upload the new data subset (Gagliardoni, 2020).
 6

History of ORAMs

This chapter will discuss the history of ORAMs. The aim here is to delineate the

evolution of ORAMs by describing the three main schemes that have been in use over the years.

This was the first ORAM scheme, initiated in 1987 by Goldreich. He aimed to address

software IP theft which was increasingly becoming an issue. This scheme works by dividing the

server memory into two regions. The main O(N) block region and a shelter with the size O(√N)

blocks. The main region consists of O(N) real blocks and O(√N) dummy blocks and all blocks

are encrypted similarly and shuffled together. The permutations of how the blocks are shuffled

and stored are dependent on the implementation. This ORAM scheme uses hash functions or

random oracles followed by an oblivious sort.

The second scheme is the 1996 Hierarchical ORAM. It was proposed by both Goldreich

and Ostrovsky to improve the bandwidth of the previous square root algorithm. This scheme

changes the memory and shelter approach by organizing the server as a pyramid. In the said

pyramid, the arrays are permuted geometrically (i.e., by a given factor). Therefore, compared to

the square root ORAM, each permuted array acts as the main region. This means that it is

parameterized by a hash function and has space set aside for dummy blocks.

The third scheme is the Binary-Tree ORAM, proposed by Shi et al. (2011). This scheme

was developed to reduce the worst-case bandwidth cost brought on by the hierarchical ORAM.

The bandwidth was intended to be reduced to 0(polylogN) blocks. The building block behind

tree ORAM is that instead of blocks having the freedom to be reshuffled into any level of the

pyramid, they will only live in a single predetermined bucket per level. To achieve this, the said

predetermined buckets are connected as if they are binary tree nodes and associated with each of
 7

the blocks to a randomly assigned path of buckets. Below is a description of some popular and

effective ORAM schemes.

Path ORAM

Path ORAM is a novel ORAM algorithm that was proposed by Stefanov et al. (2012).

After its development and introduction in the market, Path ORAM became the most practical

ORAM construction for small client storage and use. As an optimized binary-tree ORAM

scheme, path ORAM stores data in a binary tree structure. Each node (bucket) in the scheme

contains a fixed amount of encrypted database blocks.

A key that is kept on the client (let’s call them C) is used to encrypt each block using a

semantically safe symmetric-key encryption technique. From C’s perspective, a data request in

this scheme comes as a tuple (op, id, data). Op refers to a read or a write instruction. The Id is the

database location identifier in the server. Data refers to the output dependent on the op

instruction. A position map, which is a table that links each database location id to a tree leaf

identifier, is also kept locally by the client.

Following the execution of a data request, C searches the position map for the leaf

identifier that corresponds to the block identifier and sends this leaf identifier to the server (let’s

call it S). The identifier, therefore, uniquely pinpoints the leaf in the binary tree and consequently

the entire branch. The identified branch is therefore submitted by S to client C for decryption (if

they have the key). A location identifier and a data chunk are the two components of an

encrypted database block. Except for a specifically specified position identifier (let's say 0),

which indicates an "empty" or "unassigned" block, there cannot be two identical position

identifiers in the entire decrypted database.

 8

Shuffling in the path ORAM scheme is also unique and follows the order of operations

described below. First, the positional mapping guarantees that the desired block is in the branch

transmitted by S (Gagliardoni, 2020). All empty blocks are left untouched and thus not shuffled.

Next, any non-empty block is exchanged for the empty block that is now the branch's furthest

from the root, provided that both of the block's leaf paths overlap the branch. This is repeated for

all blocks. When the desired block is found, it is assigned a new random value as its identifier. If

no vacant blocks are discovered, C temporarily stores the shuffled block locally in an "overflow

stash" and replaces it with a fresh empty block. It can be demonstrated that the size of this

stockpile increases, on average, extremely slowly, allowing C to store it effectively (Gagliardoni,

2020). Try to reassign blocks temporarily kept in the stash to freshly created empty blocks in the

branch after all the blocks have been handled in this manner in order to flush the stash. The

entire branch is then re-encrypted and posted to S once more.

According to Stefanov et al. (2012), Path ORAM presents simplicity and practical

efficiency. They did, however, state that its simplicity could not be quantified. Despite this,

Stefanov et al. (2012) did prove how efficient the scheme was stating that it achieved asymptotic

efficiency. For a reasonably large block size (e.g., 4KB blocks), to gain access to a single logical

block, client C, will require O (log N) physical blocks in order to effectively hide the access

patterns from the storage server. This provides efficiency in that the failure probability is

negligible (Stefanov et al., 2018).

Ring ORAM

Using new insights and techniques, an improved version of the path ORAM known as the

Ring ORAM was proposed in 2015. This scheme achieves up to 4 times better bandwidth
 9

compared to path ORAM and allows for tuning of the local client memory dependent on the

scenario it is being used in.

With Ring ORAM, the bandwidth is increased by separating it from the bucket size,

therefore, making it independent. Unlike in Path ORAM where all blocks will be accessed and

read or written, in Ring ORAM only one block is acted upon (Thoresen, 2019). Ring ORAM

also employs a superior eviction method. This method relies on doing evictions on paths in

lexicographical order rather than the path that has been accessed most recently. This disperses

eviction paths across the tree more uniformly. Evictions can therefore occur less frequently while

still having a low failure probability (Thoresen, 2019).

Literature Review

Oblivious Random-Access Machine, ORAM, refers to the technology and the technique

used to anonymize the access flow and patterns between a trusted component, client, and

untrusted storage facility or device. This technology has been around for a while since its

conception by Goldreich and Ostrovsky. ORAMs have undergone immense changes and

development over the years and the work is still being done. Here, we will discuss some research

that has been carried out on ORAMs by various parties aiming to achieve various results.

ORAMs provide very much-needed data privacy and confidentiality. However, this

privacy comes at a cost in terms of increased overhead in communication, computation, and

storage in a system. Pinkas & Reinman (2010), try t solve the overhead issue that Oblivious

ORAMs bring about. They base their solution on the Goldreich-Ostrovsky hierarchical solution.

They use components such as randomized shell sort, cuckoo hashing, and pseudo-random

permutation as building blocks for their protocol. By optimizing several processes such as
 10

reshuffling and sorting, the results showed that they reduced overhead in the hierarchical scheme

to about 37% which saved about 65%. Although conducted as far back as 2010, this experiment

was effective in that it helped change how ORAM development is viewed and approached.

Rajat et al. (2022) present the Look Ahead ORAM (LAORAM) a framework that is

designed specifically to protect the user’s privacy and data during embedding table training.

LAORAM takes advantage of the special quality of training, which is the knowledge of the

future training samples. In order to determine the memory blocks that will likely be accessed

jointly in the near future, LAORAM preprocesses the training samples (securely without

disclosing the entry values). In the PathORAM infrastructure, the system aims to assign these

blocks to as few paths as feasible. By combining several blocks that are accessed collectively as

superblocks, LAORAM performs this function. This significantly lowers the number of reads

and writes the framework needs to perform to satisfy future accesses to a set of blocks.

LAORAM according to Rajat et al. (2022) is an improvement on an efficient protocol such as

path ORAM. This is evident in that it provides up to 5 times better performance.

Chang et al. (2016) identify an issue with ORAMs stating that despite there being a

plethora of ORAM schemes and protocols, they have never been compared and tested along

large databases. Therefore, a study is carried out to provide a thorough investigation of several

practical ORAM constructions and protocols. The study provides insight into the performance

characteristics of these ORAM constructions comparing their efficiency, cost, and scalability

(Chang et al., 2016). The study was a successful one and the author’s identified Path ORAM and

TP ORAM as the best constructions in terms of performance. The study also shows that while

Basic-SR and Basic-HR are poor performance, they make up for it in that their storage overhead

is reduced only requiring O (1) client storage. The authors also provide a prediction in that IBS-
 11

SR, TP-ORAM, and Path-ORAM will be the most used protocols before new ones are launched.

This study provides great insight into the working of various ORAM schemes and protocols.

This was a much-needed literary work as it offers a comparison of the various characteristics of

ORAMs.

Conclusion

This paper provides a general but detailed view of ORAM technology. With the ever-

increasing threats to the security of the user data, there is no doubt that Oblivious RAMs provide

the best solution to the issue in terms of remote data access and storage. However, it is not a

perfect solution and with development being made even by hackers and other malicious parties,

ORAM technology needs to evolve too to keep up to date. From the paper, we have seen how

developments have been made over the years which need to go. More research needs to be done

in the field on how to optimize the available ORAM algorithms and protocols as well as develop

new and better ones.

 12

References

Chang, Z., Xie, D., & Li, F. (2016). Oblivious Ram. Proceedings of the VLDB Endowment,

9(12), 1113–1124. https://doi.org/10.14778/2994509.2994528

Fletcher, C. W. (2016). Oblivious ram: From theory to practice. MASSACHUSETTS

INSTITUTE OF TECHNOLOGY.

Gagliardoni, T. (2020, April 21). An introduction to oblivious RAM (oram). Kudelski Security

Research. Retrieved August 21, 2022, from

https://research.kudelskisecurity.com/2020/04/22/an-introduction-to-oblivious-ram-oram/

Pinkas, B., & Reinman, T. (2010). Oblivious ram revisited. Advances in Cryptology –

CRYPTO 2010, 502–519. https://doi.org/10.1007/978-3-642-14623-7_27

Rajat, R., Wang, Y., & Annavaram, M. (2022). LAORAM: A Look Ahead ORAM

Architecture for Training Large Embedding Tables, 1–12.

Shi, E., Chan, T.-H., Stefanov, E., & Li, M. (2011). Oblivious Ram with O((logN)3) worst-

case cost. Lecture Notes in Computer Science, 197–214. https://doi.org/10.1007/978-3-

642-25385-0_11

Stefanov, E., Dijk, M. V., Shi, E., Chan, T.-H. H., Fletcher, C., Ren, L., Yu, X., & Devadas,

S. (2018). Path Oram. Journal of the ACM, 65(4), 1–26. https://doi.org/10.1145/3177872

Thoresen, O. S. (2019). Oblivious Ram in practice. Norwegian University of Science and

Technology.