# Yes, There is an Oblivious RAM Lower Bound!

@article{Larsen2018YesTI, title={Yes, There is an Oblivious RAM Lower Bound!}, author={Kasper Green Larsen and Jesper Buus Nielsen}, journal={Electron. Colloquium Comput. Complex.}, year={2018}, volume={TR18} }

An Oblivious RAM (ORAM) introduced by Goldreich and Ostrovsky [JACM’96] is a (possibly randomized) RAM, for which the memory access pattern reveals no information about the operations performed. The main performance metric of an ORAM is the bandwidth overhead, i.e., the multiplicative factor extra memory blocks that must be accessed to hide the operation sequence. In their seminal paper introducing the ORAM, Goldreich and Ostrovsky proved an amortized \(\varOmega (\lg n)\) bandwidth overhead…

## 80 Citations

### OptORAMa: Optimal Oblivious RAM

- Computer Science, Materials ScienceIACR Cryptol. ePrint Arch.
- 2018

This paper presents the first secure ORAM with O(log N) amortized blowup, assuming one-way functions, and improves the previously best known deterministic or randomized algorithms whose running time is O(n · log n) or O( n·log’n), respectively.

### Stronger Lower Bounds for Online ORAM

- Computer Science, MathematicsTCC
- 2019

The results rule out a broader class of constructions and imply that obfuscating the boundaries between the input operations does not help in building a more efficient ORAM, and study the properties of access graphs induced naturally by the memory access pattern of an ORAM computation.

### OptORAMa : Optimal Oblivious RAM Gilad Asharov

- Computer Science, Mathematics
- 2019

This paper presents the first secure ORAM with O(logN) amortized blowup, assuming one-way functions, and improves the previously best known deterministic or randomized algorithms whose running time is O(n · log n) or O( n · log log n), respectively.

### Optimal Oblivious Parallel RAM

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

It is shown that any Parallel RAM with memory capacity N can be obliviously simulated in space O(N), incurring only O(logN) blowup in (amortized) total work as well as in depth, and provides an essentially optimal OPRAM scheme.

### Lower Bound for Oblivious RAM with Large Cells

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

The first (unconditional) separation between the overhead needed for ORAMs in the online vs. offline models is derived, and the lower bound is tight for all settings of parameters, up to the log(b/w) factor.

### A Logarithmic Lower Bound for Oblivious RAM (for All Parameters)

- Computer Science, MathematicsCRYPTO
- 2021

The first (unconditional) separation between the overhead needed for ORAMs in the online vs. offline models is derived, and the lower bound is tight for all settings of parameters, up to the log(b/w) factor.

### Sub-logarithmic Distributed Oblivious RAM with Small Block Size

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This paper presents a family of distributed ORAM constructions that follow the hierarchical approach of Goldreich and Ostrovsky and develops new ones, to take better advantage of the existence of multiple servers.

### Perfectly Oblivious (Parallel) RAM Revisited, and Improved Constructions

- Computer Science, MathematicsITC
- 2021

The performance metrics for perfect ORAM/OPRAM, and novel constructions that achieve asymptotical improvements for all performance metrics are revisited, and high-probability performance bounds that match the expected bounds are proved.

### A Lower Bound for One-Round Oblivious RAM

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

It is proved that any one-round balls-in-bins ORAM that does not duplicate balls must have either Ω( √ N) bandwidth or Ω[N] client memory, where N is the number of memory slots being simulated.

### Oblivious RAM with Worst-Case Logarithmic Overhead

- Computer Science, MathematicsCRYPTO
- 2021

This work designs a novel de-amortization framework for modern ORAM constructions that use the “shuffled inputs” assumption and relies on the existence of oneway functions and guarantee computational security to close a long line of research on fundamental feasibility results for ORAM construction results.

## References

SHOWING 1-10 OF 26 REFERENCES

### Is There an Oblivious RAM Lower Bound?

- Computer Science, MathematicsITCS
- 2015

The lower bound on the overhead required to obliviously simulate programs, due to Goldreich and Ostrovsky, is revisited and it is proved that for the offline case, showing a lower bound without the above restriction is related to the size of the circuits for sorting.

### Oblivious RAM Revisited

- Computer Science, MathematicsCRYPTO
- 2010

This work redesigns the oblivious RAM protocol using modern tools, namely Cuckoo hashing and a new oblivious sorting algorithm, and replaces each data request by only O(log2 n) requests.

### Asymptotically Tight Bounds for Composing ORAM with PIR

- Computer Science, MathematicsPublic Key Cryptography
- 2017

This paper achieves a sub-logarithmic bandwidth blowup of \(O(\log _{d} N)\) (where d is a free parameter) without using expensive computation by using a d-ary tree and a two server private information retrieval (PIR) protocol based on inexpensive XOR operations at the servers.

### Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM

- Computer Science, MathematicsTCC
- 2016

The Onion ORAM is the first concrete instantiation of a constant bandwidth blowup ORAM under standard assumptions, and proposes novel techniques to achieve security against a malicious server, without resorting to expensive and non-standard techniques such as SNARKs.

### On the (in)security of hash-based oblivious RAM and a new balancing scheme

- Computer Science, MathematicsSODA
- 2011

This work analyzes several schemes from the literature, observing a repeated design flaw that leaks information on the memory access pattern, and presents a new secure oblivious RAM scheme, which uses only O(1) local memory, and its (amortized) overhead is O(log2n/log log n), outperforming the previously-best O( log2n) overhead.

### Garbled RAM Revisited

- Computer Science, MathematicsEUROCRYPT
- 2014

The notion of garbled random-access machines (garbled RAMs) was introduced by Lu and Ostrovsky (Eurocrypt 2013). It can be seen as an analogue of Yao’s garbled circuits, that allows a user to garble…

### BIOS ORAM: Improved Privacy-Preserving Data Access for Parameterized Outsourced Storage

- Computer Science, MathematicsWPES@CCS
- 2017

A novel ORAM scheme that improves the asymptotic I/O overhead of previous schemes for a wide range of size parameters for clientside private memory and message blocks, from logarithmic to polynomial is presented.

### Path ORAM

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

It is formally proved that Path ORAM has a O(log N) bandwidth cost for blocks of size B = Ω (log2 N) bits, and is asymptotically better than the best-known ORAM schemes with small client storage.

### Statistically-secure ORAM with Õ(log2 n) Overhead

- Computer Science, MathematicsASIACRYPT
- 2014

A simple, statistically secure, ORAM with computational overhead ~ O(log 2 n) with an upper bound on the rate of “upset” customers in the “supermarket” problem is demonstrated.

### PrivateFS: a parallel oblivious file system

- Computer ScienceCCS
- 2012

Extensions providing fork consistency against an actively malicious adversary and new de-amortization techniques bring the worst case query cost in line with the average cost are presented.