 Hi, I'm Alex Hoover, and I am presenting my work with David Cash and Andrew Drucker titled A Lower Bound for One Round of Bolivius RAM. So the setting that we're concerned with with the RAM is called outsourced array storage. And this is where our client is storing some potentially encrypted data on a server and they're concerned with an adversary sitting on the server and watching them access the encrypted data. The adversary could glean some information about what the client is running or some side channel information attack and the client wants to basically obscure this access pattern. And the primitive to do this in the most general setting is oblivious RAM, introduced by Golder Kostroski, which is basically a middle layer where a client issues virtual array requests to the RAM, which then issues physical read and write requests to the server. And these physical read and write requests should basically be independent of what the client is running on their local machine. And we'll formalize this later, what it means to be secure. But I'll start off with just giving a couple of really simple RAM, the first being what I call a read all RAM. And basically every operation, the RAM will just download the entire server and return whatever the client requested back to the client. And the adversary in this setting has no idea what the client is running because every single operation does the exact same thing and the client will always be able to get whatever data requested because the RAM accesses literally everything. And we say that this scheme has high overhead because it downloads so much every operation. Another one, which has very low overhead is kind of a local storage scheme where an O-RAM basically just keeps the entire virtual array locally and never interacts with any server. So an adversary on the server obviously won't be able to tell what the client's running since everything is just happening between the client and the O-RAM. The downside of this is that we say it has really high local storage or really high state even though it has zero overhead. And so the first kind of non-trivial O-RAM that was introduced in the original O-RAM paper is called the square root O-RAM. And this has square root in state and square root in amortized O-RAM. And the way this one works is whenever you request kind of a new data item, like if we want to read red and it's located on the server, then we go to where red is, we grab it, and then we keep it in our local storage. So then we want to read blue, so we go and grab blue, and then we read black and grab black. And now if we want to read or write to blue again, the way we kind of make it oblivious is that we go and grab a dummy cell, and then we'll update blue locally in our storage. And then if we wanted to do red, since we already have red downloaded, we go and grab a dummy cell. If we do red again, then we grab a different dummy cell. And important that it's different. And basically what this O-RAM is doing is every single operation, it's grabbing one new fresh cell that it hasn't previously accessed. And once our local storage fills up after square root operations, then what we're going to do is we dump it all back on the server with a new random permutation. We just randomly place all the dummies and all the data, and restart this protocol. It's also worth noting that this is not the original way that Golder-Kostrovsky proposed this. They kept this square root in state, they basically pushed it onto the server and downloaded it every time before doing this single access. And that introduces overhead square root in, which is just a constant factor in the amortized overhead. And so this kind of outsourcing is done in many O-RAM schemes, which is why in this table you can see that everything pretty much has storage constant, because their storage would be less than their overhead, so they just push it onto the server and grab it just before they run the protocol. And this table is supposed to kind of detail some of the work that's been going on in O-RAM constructions. This is by no means the entire list, but it kind of shows how the overhead has gotten pushed down really far by the way to log in, which is optimal. But it's also to point out that these constructions, all of the log squared, log cube log in constructions use log in rounds. And they require this adaptivity, going to the server, grabbing something, then going, grabbing something different in their constructions. And so what we want to look at is the study of O-RAM complexity in O-RAM, and how well can you do with restricted rounds? And specifically, we are curious about one round. So now there's not even time for the O-RAM to go and stash its state on the server. It has to keep its state local and then do the overhead that we normally do. So what we prove, one of some of our results, so that we show there's some inherent trade-off between round, bandwidth, and state, rather than just bandwidth and state. And specifically, we prove a bandwidth memory trade-off for one round balls and bids O-RAM. I'll say what we mean by one round and balls and bids later. Exactly. And then this result is also tight up to our rhythmic factors. The Goldar-Kostrovsky construction is actually optimal in some sense. And we extend the result to a multi-round O-RAM with matching constructions, but our lower bound requires kind of an artificial constraint on the O-RAM. So let's jump into some preliminaries for the talk. What really is an O-RAM? I'll define some of the syntax and notation here. We have a client that's issuing read and write requests, virtual requests to an O-RAM, which is a key protocol that will go and issue physical requests, which I'll denote with this little hat, to a server. Maybe download, read, write a little bit, and then return things to the client that are requested. We also have a security obliviousness game to define security for an O-RAM. The way this works is pretty standard. We have an adversary which will submit to operation sequences. We'll run one of them at random, give the adversary the physical operations that we did, also known as the access pattern. And then the adversary is going to have to try to distinguish which operation sequence we ran. And we'll define its advantage for this talk as how much better it can do versus random guessing. Okay, now state and overhead. What do I really mean when I say state? It's the amount of data an O-RAM can hold locally. You can think of it as like the number of cells in the O-RAM that it has downloaded locally. It's not too important for this talk. It's also called the worst case overhead. The upper bound on the number of reads and writes, every operation. And we also have results for a more typed overhead, which is an upper bound on the average number of reads and writes for operation. Now, what do we really mean when we say a one round O-RAM scheme? So the way we form this here and in the paper is every operation that the O-RAM receives, the O-RAM is allowed to issue one parallel set of physical reads. It will retrieve those, it'll get the results back from the server, and then it can issue one set of parallel writes. And this is kind of pseudo two round, but restricting the O-RAM to issue reads and writes at the same time only weakens the result. So we can prove bounds in this setting so this is what we go with. And what do I mean by balls and bins? So this is a common model. This is what the original lower bound by Golder-Kostrosky was proved in. And so what we mean here is that data written to the O-RAM are like immutable opaque balls. The O-RAM just has to take the data, place it in the server somewhere. You can imagine it in like applying some randomized encryption, but it can't chop up the data in any way. It can't encode the data in any way. It's just a single ball. And in the way we really think about this, and you can think about this for the talk, these physical read and write operations are just like picking up data or balls and like moving them between different bins on the server or between the state and the O-RAM. And each ball just goes in one cell on the server and one cell can only have at most one ball. Okay. So now kind of recap some of the previous lower bounds in the line of work. The original I mentioned was Golder-Kostrosky, who proved for statistically secure balls and bins O-RAM. You need log in immobilized overhead. Boyle-Maur kind of pointed out some issues with Golder-Kostrosky. They pointed out the statistical security assumption, pointed out the balls and bins doesn't capture all the things you could do with an O-RAM potentially in the paper where they reduce an offline O-RAM bound to a sorting lower bound. And two years later, Larson Nielsen basically answered the questions that Boyle-Maur pointed out, proving that O-RAM in general, in computational adversaries, require a log in a mortise overhead. And this was extended a year later to a setting with a slightly weaker adversary. Now the last lower bound I'll point out here is an oblivious RAM lower bound, which isn't exactly our setting, but it's the closest thing that we are aware of that proves a lower bound with respect to something like rounds. In this case, it's depth, but it's not the exact same thing, but it's worth mentioning. Okay, so here is an informal statement of our main theorem, our variant of it, that any one round balls and bins O-RAM with r-cell to state and p-immobilized overhead has p times r at least in over log in with some constant factors. This is a theorem that proves the optimality up to log factors of the Golder-Kostrovsky construction, but we won't be focused on this theorem exactly. Today I'm just going to talk about counter only O-RAM, which is another thing that we introduce in our paper. So this is an O-RAM where we take away as much of its state as possible before it becomes trivial to bound. What do I mean by that? So what we do is we take the r-cell to state and instead of giving the O-RAM any state at all that's meaningful, we instead replace it with a single program counter. So all the O-RAM knows is its key and its program counter. How many operations, virtual operations, have they run so far? Under this restriction, our proof remains similar. We still get to show off one of the cool techniques that we do with the main theorem, but it's much simpler to argue and to think about. And we'll also just consider the case of work's case overhead, since immortality also just kind of requires an extra gadget. Okay, so here's the theorem that I'm going to try to prove to you today. In one round, counter only, balls and bends are in, it's perfectly secure, must have worst case overhead, p at least 0.1 root n. So here we've ignored the state, we replaced it with just the counter and we'll still get this root n bound. Okay, so how do we outline it? First off, we're just doing it by contradiction. We're just going to assume there's an O-RAM with small overhead that is perfectly secure and we'll just give an adversary that is going to have high advantage proofably. And basically what this adversary is going to do is it's going to force some physical cell to be accessed in one of the two operations sequences it submits and this overlap won't occur in the other with high probability. And we're going to have to be a little careful about what kind of overlap we're requesting or what kind of overlap we're targeting to get this theorem to work out. So here's the adversary. It's a lot of code, but the main thing to focus on is the operation sequences it submits. They're actually the exact same up until the very final read up until this j0 or j1 star. There's basically the initialization phase where it writes a bunch of balls and then there's going to be t or square root n random reads. Each one of these just uniform independently random. And at the very end in operation sequence zero, we're going to read something that we've previously read in one of the random reads. In operation sequence one, we're going to read something again freshly uniformly randomly that's independent of this little t that we're choosing. And then what we're going to do is we're going to look to see that there's an overlap that occurs on a cell that was so-called freshly accessed. I'll kind of go in a more detail and have a graphic explaining what this distinguishing rule that the adversary is using is. First, I'll talk about the initialization. So this is just to give us some notation and variables to work with. So after the writes, each one of these balls is distinct and unique and the ORM has no state, so it can't hold any of the balls, which means after the writes, every single ball is located at a single physical cell on the server. And so our target ball, which is the t to read, will call b star and will call its initial location after these writes q star. So it couldn't move throughout the operation, but the initial location we're going to call q star. And this is the same in both sequences. So this is the overlap that we're going to try to work for. We're going to prove that q star is freshly accessed for the first time at reads t, in this case at 3. And then we're going to prove again q star is accessed at the very end in the t plus first reader reads star. And this graphic is just showing the server cells. And these little sets are the physical server cells. There's no reason they have to be contiguous. It's just more convenient to draw. And these are just the different reads operation. The write operations are more or less unimportant for the attack. Okay. So here are the two limits that I'm going to try to prove. The first one is about when the final read is random. We're going to start with that because it's a bit simpler. And the second one is about when the final read is a repeat. And we're going to try to prove that we get this overlap. Together, this will prove that the adversary has a high advantage. Okay. So lemma 1. This is where we use worst case overhead. This is just a pretty simple argument saying the final read is independent of this little t that we selected. And also this final read has at most p fresh overlaps and p is less than 0.1 root in. And since t, so there are root in reads, each one of these physical cells can be freshly read by at most one previous access because it's fresh. Which means that this final read star operation can have our desired overlap with at most p different previous reads. So the probability over the random choice of little t that we get unlucky is at most 0.1. Okay. Now for a limit 2, I'm actually going to break it apart even further to what I call limit 3 and number 4. First, we're going to prove that we have to do a fresh access with high probability. And then we're going to prove that we get the repeated access with high probability. And together with the union bound, we will get the desired limit 2. Okay. So first we, the first limit 3 is a bit simpler. It's a correctness argument saying that if q star, so b star is located at q star. And if q star is not touched at all, it's not read or written, it's not read or written to up until reads t, then we know that q star has to be accessed. And that's because we requested b star, b star in q star until it gets touched and then maybe it's moved. But if it's untouched, then we're going to have to access it because we need that, we grab b star for the client. And so this is just a simple argument saying that using worst case overhead again, that at most p times t of the physical cells are read. And since b star is selected uniformly at random and independently of the previous reads, the probability that we have not touched it is at least 0.9, which means that we access it freshly for the first time with probability point. The second part is the repeated access. And this is a little bit harder, a little trickier because we know that q star has been accessed before. So the b star could be located anywhere in operation sequence zero. We don't have much control over that. But kind of the key thing here is where, this is where we're going to have to use program counter, the fact that it's a counter only over, sorry. And it can be extended to more general state, but it's simpler with just a counter only. So what we observe is that this final access is independent of what came before it. So this final access is fixed only by the program counter, the key and the operation provided. So if you read three at the very end of the sequence, the O-ROM has no idea if you've read three before or if any operation sequence could have happened before because it only has a program counter. All it knows is you've issued t reads. So if there's any other sequence, then it's going to have to access q star is the idea. So there's no q star hasn't been touched by some sequence in the past that we're going to have to grab q star right now because b star might be there. We don't know the history. So what we do is we basically just fix any sequence and then over the random choice of b star, q star hasn't been accessed with probability 0.9. This is the same correctness argument we've used this like history independence property to reduce our problem back to the correctness argument. And so here again we get with probability 0.9 that q star is accessed in the final read using worst case overhead and counter only. So together with lemma three and a union bound we get lemma two, lemma two and lemma one give us an adversary high advantage which breaks our contradiction. And so now we prove the theorem by contradiction that any one round counter only involves mid-term must have high overhead, high worst case overhead. Now I'll finish off with a couple of results, a couple other results in the paper and some future work and over problems. So I did mention that we can extend this result to a more test overhead with large state and that are not perfectly correct. We also prove a slightly weaker trade-off if the ORM is allowed to duplicate balls. Here I require that the balls are immutable and not duplicated, but if you're allowed to duplicate it a little bit you get a similar bound. We also prove for multi-round ORM that current constructions are optimal in some sense for a restricted class of ORM that many constructions satisfy. We also consider static ORM, we also consider static ORM which cannot move data, writes data and then it can read and has to remain oblivious while only reading and not moving any of the data between the bins. Open problems. So an extension to large overhead in a small state is still open. We only prove kind of half of this smooth trade-off that would be nice. We only consider a small overhead. Extension from balls and bins to information theoretic model is a very obvious open problem and in our duplicate balls proof kind of highlights some of the issues like the issues in our proof that can't extend to the information theoretic model. Also an extension to general K-round ORM either in the balls and bins or information theoretic model would be interesting when it doesn't require this artificial restriction in place. Okay and then is it. Here is the link to the full paper. Thanks.