5

Oblivious Ram (ORAM) is a cryptographic technique that is used for secure DB querying without leakage on the access patterns. There are several schemes for ORAM, amongst the most popular ones, there is Path ORAM. However, and as far as I understand it, ORAM is tied to a client/server(s) configuration, in other words, it let a given client outsource DB services. In this, case the DB belongs to the client, and security follows from the server not learning anything from the DB content and the access pattern. My Question is as follows:

In the case the DB does not belong to the client, and the definition of security is expanded such that the server does not learn anything from the query but also the client does not learn anything from the DB, except the result of query (A third party DB), can I still use ORAM, how should I do it? and how an scheme like Path ORAM would work instead? Any insight on this precise topic is more than welcome!

DaWNFoRCe
  • 892
  • 7
  • 17

2 Answers2

1

ORAM can be built on a multi-party scenario, where the data belongs to various parties using Secure Multiparty Computation. Recent research calls this approach ORAM for Secure Computation (SC-ORAM).

Given that writing and reading are required, it is my believe this would be the best approach.

In the typical SC-ORAM setting, several parties store information on remote server that holds the ORAM, and use SFE and general 2PC to execute ORAM tasks.

There are ways you can get rid of the Server however, Keller and Scholes propose the adaptation of Path ORAM, among other methods under a setting where the DB is secretly shared among the participants. Their results could be adapted to any method using ORAM and MPC.

What may be the most relevant of all, are the results by Faber et al, show how to build such setting under an MPC framework that allow for a secret shared database between 3 distrustful parties.

A short post about their results including a nice video with detailed explanations can be found here.

DaWNFoRCe
  • 892
  • 7
  • 17
0

There is a relevant scenario for order queries but not with the ORAM security guarantee. It hides the content of the DB to the user, in a zero-knowledge fashion: eprint.iacr.org/2014/632 . The guarantee from the server point of view is tied to verifiability

curious
  • 6,280
  • 6
  • 34
  • 48