Fast Oblivious Storage

We introduce three practicality-critical components for Oblivious RAM (ORAM): (i) parallelism, (ii) deamortization, and (iii) fork-consistency defense against malicious adversaries. In (i), instead of waiting for the completion of ongoing client-server transactions, client threads can now engage a server in parallel without loss of privacy. This critical piece is missing from existing ORAMs, which can not allow multiple clients threads to operate simultaneously without revealing intraand inter-query correlations and thus incurring privacy leaks. And since ORAMs often require many communication rounds, this significantly and unnecessarily constrains throughput. The mechanisms introduced here eliminate this constraint, allowing overall throughput to be bound by server bandwidth only, and thus to increase by an order of magnitude. Further, in (ii) new de-amortization techniques bring the extremely impractical worst case ORAM query cost (e.g., having to periodically wait for tens or hundreds of hours for ORAM reshuffles to complete before being able to execute the next query) in line with the average cost. Both (i) and (ii) are shown to be fundamental to any practical ORAM. Finally, (iii) extensions providing fork consistency against an actively malicious adversary are then presented. A high performance, fully functional implementation (PD-ORAM) was designed, built and analyzed. It performs multiple queries per second on a 1TB+ database across 50ms latency links, with unamortized, bound query latencies. Based on PD-ORAM, PrivateFS an oblivious file system that enables access to remote storage, while keeping both the file contents and client access patterns secret was built and deployed on Linux as a userspace file system. For a single-CPU server throughput can exceed 300Kbps with almost optimal bandwidth utilization.