Oblivious Stash Shuffle

This is a companion report to Bittau et al. [1]. We restate and prove security of the Stash Shuffle. 1 Description of the Stash Shuffle The Stash Shuffle considers input and output items in B sequential buckets, (each holding at mostD , ⌈N/B⌉ items, sized to fit in private memory). At a high level, the algorithm first chooses a random output bucket for each input item, and then randomly shuffles each output bucket (Algorithm 1). It does that in two phases. During the Distribution Phase (lines 3–4), it reads in one input bucket at a time, splits it across output buckets, and stores the re-encrypted items in an intermediate array in untrusted memory. During the second phase, the Compression Phase (line 7), it reads the intermediate array of encrypted items one output bucket at a time, shuffles them randomly, and then stores them in the eventual shuffled order in the output array. Algorithm 1 The Stash Shuffle algorithm. 1: procedure SHUFFLE(Untrusted arrays in, out,mid) 2: stash← φ 3: for j ← 0, B − 1 do 4: DISTRIBUTEBUCKET(stash, j, in,mid) 5: DRAINSTASH(stash, B,mid) 6: FAIL on ¬stash.Empty() 7: COMPRESS(mid, out) The algorithm gets its name from the stash, a private structure, whose purpose is to reconcile the variability of the number of items distributed across different output buckets—this variability is drawn from a basic balls-and-bins argument, given the randomdistribution of input items to output buckets—and the requirement for obliviousness: hiding this variability from the untrustedmemory and an observer outside the enclave. While a single input bucket is distributed to output buckets, we cap the number of items it may deposit in each—we set this cap at C , D/B + α √ D/B for a small constant α, due to the binomial distribution. Some input buckets may direct more than C items into an output bucket, overflowing it. Any overflow items are instead stored in the stash sized to fit S items, organized as a stack for each output bucket, and drained into the output during distribution of subsequent input buckets. Algorithm 2 describes the distribution in more detail, implementing the same logic, but reducing data copies. SHUFFLETOBUCKETS randomly shuffles the D items of the input bucket (D = 6 in the figure), and B − 1 bucket separators (B = 4 in the figure). The shuffle determines which item will fall into which target bucket, stored in targets (line 3). Then, for every output bucket, as long as there is still room in the maximum C items to output (C = 2 in the figure), and there are stashed away items, the output takes items from the stash (lines 4–6). Then the input bucket items are read in from the outside input array, decrypted, and deposited either in the output (if there is still room in the quota C of the target bucket), or in the stash (lines 7–15). Finally, if some output chunks are still not up to the C quota, they are filled with dummy items—to avoid leaking to the outside how items were distributed—encrypted and written out into the intermediate array (lines 16–20). Note that the stash may end up with items left over after all input buckets have been processed, so we drain those items (padding with dummies), filling K extra items per output bucket at the end of the distribution phase (line 5 of Algorithm 1, which is similar to distributing a bucket, except there is no input bucket to distribute). K is set to S/B, that is, the size of the stash divided by the number of buckets. In the compression phase, the intermediate items deposited by the distribution phase must be shuffled, and dummy items must be filtered out. To do this, without revealing information about the distribution of (real) items in output