Oblivious RAM (ORAM), introduced by Goldreich (STOC 1987) and Ostrovsky (STOC 1990), can be used to read and write to memory in a way that hides which locations are being accessed. The best known ORAM schemes have an \(O(\log n)\) overhead per access, where \(n\) is the data size. The work of Goldreich and Ostrovsky (JACM 1996) gave a lower bound, showing that this is optimal for ORAM schemes that operate in a “balls and bins” model, where memory blocks can only be shuffled between different locations but not manipulated otherwise (and the server is used solely as remote storage). The lower bound even extends to weaker settings such as offline ORAM, where all of the accesses to be performed need to be specified ahead of time, and read-only ORAM, which only allows reads but not writes. But can we get lower bounds for general ORAM, beyond “balls and bins”? The work of Boyle and Naor (ITCS 2016) shows that this is unlikely in the offline setting. In particular, they construct an offline ORAM with \(o(\log n)\) overhead assuming the existence of small sorting circuits. Although we do not have instantiations of the latter, ruling them out would require proving new circuit lower bounds. On the other hand, the recent work of Larsen and Nielsen (CRYPTO 2018) shows that there indeed is an \(\Omega (\log n)\) lower bound for general online ORAM. This still leaves the question open for online read-only ORAM or for read/write ORAM where we want very small overhead for the read operations. In this work, we show that a lower bound in these settings is also unlikely. In particular, our main result is a construction of online ORAM, in which the server is used solely as remote storage, where reads (but not writes) have an \(o(\log n)\) overhead, assuming the existence of small sorting circuits as well as very good locally decodable codes (LDCs). Although we do not have instantiations of either of these with the required parameters, ruling them out is beyond current lower bounds.

Goldreich（STOC 1987）和Ostrovsky（STOC 1990）引入的遗忘RAM（ORAM）可以用来隐藏对正在访问的位置的存储方式进行读取和写入。最著名的ORAM方案每次访问具有\（O（\ log n）\）开销，其中\（n \）是数据大小。Goldreich和Ostrovsky（JACM 1996）的工作给出了一个下界，表明这对于在“球和箱”模型中运行的ORAM方案是最佳的，在ORAM方案中，存储块只能在不同的位置之间改组，而不能以其他方式进行操作（和该服务器仅用作远程存储）。下限甚至扩展到较弱的设置，例如脱机ORAM，其中需要提前指定所有要执行的访问，并且为只读ORAM，仅允许读取而不能写入。但是，除了“球和垃圾箱”之外，我们还能获得一般ORAM的下限吗？Boyle和Naor（ITCS 2016）的工作表明，在离线环境中这不太可能。尤其是，假设存在小的分类电路，它们将以\（o（\ log n）\）的开销构造一个脱机ORAM 。尽管我们没有后者的实例化，但要排除它们的实例将需要证明新的电路下限。另一方面，Larsen和Nielsen（CRYPTO 2018）的最新工作表明，一般在线ORAM确实存在\（\ Omega（\ log n）\）下限。这仍然使在线只读ORAM或读/写问题悬而未决在ORAM中，我们希望读取操作的开销很小。在这项工作中，我们证明了这些设置的下限也是不可能的。特别是，我们的主要结果是构建了一个在线ORAM，其中该服务器仅用作远程存储，假定存在很小的开销，则读取（但不写入）的开销为\（o（\ log n）\）。分选电路以及非常好的本地可解码代码（LDC）。尽管我们没有使用必需的参数来实例化这两个实例，但是排除它们的实例超出了当前的下限。