Sarvar Patel

Sarvar Patel, Giuseppe Persiano, Kevin Yeo

Oblivious RAM (ORAM) and private information retrieval (PIR) are classic cryptographic primitives used to hide the access pattern to data whose storage has been outsourced to an untrusted server. Unfortunately, both primitives require considerable overhead compared to plaintext access. For large-scale storage infrastructure with highly frequent access requests, the degradation in response time and the exorbitant increase in resource costs incurred by either ORAM or PIR prevent their usage. In an ideal scenario, a privacy-preserving storage protocols with small overhead would be implemented for these heavily trafficked storage systems to avoid negatively impacting either performance and/or costs. In this work, we study the problem of the best $\mathit{storage\ access\ privacy}$ that is achievable with only $\mathit{small\ overhead}$ over plaintext access. To answer this question, we consider $\mathit{differential\ privacy\ access}$ which is a generalization of the $\mathit{oblivious\ access}$ security notion that are considered by ORAM and PIR. Quite surprisingly, we present strong evidence that constant overhead storage schemes may only be achieved with privacy budgets of $ε= Ω(\log n)$. We present asymptotically optimal constructions for differentially private variants of both ORAM and PIR with privacy budgets $ε= Θ(\log n)$ with only $O(1)$ overhead. In addition, we consider a more complex storage primitive called key-value storage in which data is indexed by keys from a large universe (as opposed to consecutive integers in ORAM and PIR). We present a differentially private key-value storage scheme with $ε= Θ(\log n)$ and $O(\log\log n)$ overhead. This construction uses a new oblivious, two-choice hashing scheme that may be of independent interest.

Sarvar Patel, Giuseppe Persiano, Kevin Yeo

We consider Oblivious Shuffling and K-Oblivious Shuffling, a refinement thereof. We provide efficient algorithms for both and discuss their application to the design of Oblivious RAM. The task of K-Oblivious Shuffling is to obliviously shuffle N encrypted blocks that have been randomly allocated on the server in such a way that an adversary learns nothing about the new allocation of blocks. The security guarantee should hold also with respect to an adversary that has learned the initial position of K touched blocks out of the N blocks. The classical notion of Oblivious Shuffling is obtained for K = N. We present a family of algorithms for Oblivious Shuffling. Our first construction, CacheShuffleRoot, is tailored for clients with $O(\sqrt{N})$ blocks of memory and uses $(4+ε)N$ blocks of bandwidth, for every $ε> 0$. CacheShuffleRoot is a 4.5x improvement over previous best known results on practical sizes of N. We also present CacheShuffle that obliviously shuffles using O(S) blocks of client memory with $O(N\log_S N)$ blocks of bandwidth. We then turn to K-Oblivious Shuffling and give algorithms that require 2N + f(K) blocks of bandwidth, for some function f. That is, any extra bandwidth above the 2N lower bound depends solely on K. We present KCacheShuffleBasic that uses O(K) client storage and exactly 2N blocks of bandwidth. For smaller client storage requirements, we show KCacheShuffle, which uses O(S) client storage and requires $2N+(1+ε)O(K\log_S K)$ blocks of bandwidth. Finally, we consider the case in which, in addition to the N blocks, the server stores D dummy blocks whose content is is irrelevant but still their positions must be hidden by the shuffling. For this case, we design algorithm KCacheShuffleDummy that, for N + D blocks and K touched blocks, uses O(K) client storage and $D+(2+ε)N$ blocks of bandwidth.

Keith Bonawitz, Vladimir Ivanov, Ben Kreuter et al.

Secure Aggregation protocols allow a collection of mutually distrust parties, each holding a private value, to collaboratively compute the sum of those values without revealing the values themselves. We consider training a deep neural network in the Federated Learning model, using distributed stochastic gradient descent across user-held training data on mobile devices, wherein Secure Aggregation protects each user's model gradient. We design a novel, communication-efficient Secure Aggregation protocol for high-dimensional data that tolerates up to 1/3 users failing to complete the protocol. For 16-bit input values, our protocol offers 1.73x communication expansion for $2^{10}$ users and $2^{20}$-dimensional vectors, and 1.98x expansion for $2^{14}$ users and $2^{24}$ dimensional vectors.