a language for probabilistically oblivious computation
play

A Language for Probabilistically Oblivious Computation David Darais - PowerPoint PPT Presentation

Mar 25, 2023 •182 likes •787 views

A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks Secure Storage S[42] secret Cloud You s = S[42] Storage S[s] secret Implementation = encrypt the data Read/write indices

  1. 
 A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks

  2. Secure Storage S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data Read/write indices in the clear , cannot depend on secrets 2

  3. Oblivious RAM S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data and garble indices Read/write indices can depend on secrets 3

  4. λ -obliv 4

  5. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation S[secret] (read) Oblivious 
 Types , semantics , and proofs for probabilistic programs RAM S[secret] ← secret (write) Publicly available implementation 5

  6. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation Types , semantics , and proofs for probabilistic programs Publicly available implementation 6

  7. ORAM basics λ -obliv design λ -obliv proof 7

  8. Memory Trace Obliviousness (MTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values MTO if you can’t infer secret values from observations 8

  9. Baby Not-secure ORAM Adversary Observations -- upload secrets S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r = S[s] -- NOT OK 9

  10. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s r = S[s] -- NOT OK 10

  11. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s s r = S[s] -- NOT OK Violates Memory Trace Obliviousness (MTO) 11

  12. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 12

  13. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 13

  14. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 1 Satisfies MTO, but ine ffi cient 14

  15. Probabilistic Memory Trace Obliviousness (PMTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values AND random samples (coin flips) PMTO if you can’t infer secret values from observations 15

  16. Baby Tree ORAM -- upload secrets b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 -- read secret index s r = S[b ⊕ s] Violates secure data/information flow 
 Satisfies Probabilistic Memory Trace Obliviousness (PMTO) 16

  17. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 17

  18. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 18

  19. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 19

  20. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 0 output(b) after S[b ⊕ s] would be problematic! 20

  21. ORAM basics λ -obliv design λ -obliv proof 21

  22. λ -obliv design challenge How to: Allow direct flows from uniform secrets to public values Prevent revealing any value correlated with a secret 22

  23. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions A ffi ne, uniformly distributed secret random values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region (elements in a join semilattice) 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x - | e ⊕ e -- xor Values in same region may be prob. dependent | mux(e, e, e) -- atomic mux - Values in strictly ordered regions guaranteed prob. independent | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 23

  24. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Non-a ffi ne, possibly random secret values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region, ℓ = information flow label 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor - Region tracks prob. dependence on random values | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 24

  25. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x Standard features like references and functions | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 25

  26. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux New random values are allocated in static region | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 26

  27. 
 λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Escape hatches e ⩴ … needed to | flip[R]() -- create uniform secrets implement | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x ORAM | e ⊕ e -- xor | mux(e, e, e) -- atomic mux castP : flip[R] → bit[ ⊥ ,P] (consuming) 
 | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals castS : flip[R] → bit[R,S] (non-consuming) | λ x.e | e(e) -- functions 27

  28. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 28

  29. Taming the escape hatches A ffi ne 
 Types e ⩴ … | castP(e) | castS(x) Probability 
 Regions 29

  30. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 30

  31. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 31

  32. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 32

  33. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 33

  34. Affinity in Action s b ₁ b ₂ b ₃ b ₁ , b ₂ = flip[R1](), flip[R2]() 0 0 0 0 b ₃ , _ = mux(s, b ₁ , b ₂ ) 1 0 0 0 -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK 0 1 0 0 -- none of b ₁ , b ₂ , b ₃ uniform 1 1 0 1 output(castP(b ₁ )) -- NOT OK 0 0 1 1 1 0 1 0 0 1 1 1 1 1 1 1 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a proof? Statement: A formula is satisfiable. Proof: assignment, a . Property: 5 minute presentations. Can check proof in polynomial time. A real

401 views • 3 slides
k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits Fabrice Benhamouda Huijia (Rachel) Lin IBM Research / Columbia University, US University of California, Santa Barbara, US Eurocrypt 2018, May 1,

1.03k views • 85 slides
Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search Ph.D. Dissertation Defense Zeeshan Pervez Department of Computer Engineering Kyung Hee University, Global Campus, Korea email:

650 views • 24 slides
Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation

Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation

Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation Music at the ILLC l Henkjan Honing music cognition l Fleur Bouwer l Gabor Haden l Rens Bod computational musicology l Aline

532 views • 39 slides
Me & the UO Language Variation & Computation Lab Sociophonetician and

Me & the UO Language Variation & Computation Lab Sociophonetician and

T. Kendall (U Oregon) Social and Cognitive Aspects of Language Variation and Change Me & the UO Language Variation & Computation Lab Sociophonetician and sociolinguist In terms of speech technology, researching variation and

202 views • 5 slides
1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation,

1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation,

1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation, Amsterdam, 10 December 2013 Johan van Benthem, Amsterdam & Stanford, http://staff.science.uva.nl/~johan Turing Year, Manchester Logic

198 views • 4 slides
Evolutionary Computation Computational Procedures patterned after biological evolution

Evolutionary Computation Computational Procedures patterned after biological evolution

Evolutionary Computation Computational Procedures patterned after biological evolution Search procedure that probabilistically applies search operators to set of points in the search space Evolutionary Algorithms Evolution Genetic

592 views • 37 slides
FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious

FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious

FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious Algorithms Succinct Data Structures RAM MODEL Almost everything you do in Haskell assumes this model Good for ADTs, but not a realistic

673 views • 49 slides
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation?

431 views • 25 slides
1. Interconnector reliability should be considered probabilistically Zero probability of 100%

1. Interconnector reliability should be considered probabilistically Zero probability of 100%

1. Interconnector reliability should be considered probabilistically Zero probability of 100% probability of coincident stress coincident stress Real world derate IC provides security IC cannot provide IC based on to both countries

315 views • 5 slides
Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS

Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS

Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS University of Aarhus Thirteenth International Symposium on Algorithms and Computation Vancouver, BC, Canada, November 22, 2002 1 Outline of talk

499 views • 24 slides
Values and Variables 1 / 19 Languages and Computation Every powerful language has three

Values and Variables 1 / 19 Languages and Computation Every powerful language has three

Values and Variables 1 / 19 Languages and Computation Every powerful language has three mechanisms for combining simple ideas to form more complex ideas:(SICP 1.1) primitive expressions, which represent the simplest entities the language is

537 views • 19 slides
Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

812 views • 33 slides
Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi {

Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi {

Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi { buschc,magdon,xij2 } @cs.rpi.edu July 20, 2005. Outline Oblivious Routing: Background and Our Contribution The Algorithm: Oblivious Routing with Single

709 views • 50 slides
Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Yes, There is an Oblivious RAM Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich and Ostrovsky in 1996 Encrypts the memory access pattern of a random-access algorithm Oblivious RAM, Model

505 views • 32 slides
Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1

Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1

Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1 Non-Uniform Computation 2 Non-Uniform Computation Uniform: Same program for all (the infinitely many) inputs 2 Non-Uniform Computation Uniform: Same

1.25k views • 105 slides
Formal Specification of Cypher Nadime Francis University of Edinburgh Wednesday, May, 10th 1 /

Formal Specification of Cypher Nadime Francis University of Edinburgh Wednesday, May, 10th 1 /

Semantics Overview Ambiguous and Edge Cases Incomplete and Inconsistent Cases Formal Specification of Cypher Nadime Francis University of Edinburgh Wednesday, May, 10th 1 / 16 Semantics Overview Ambiguous and Edge Cases Incomplete and

523 views • 38 slides
Unified Classical Logic Completeness A Coinductive Pearl Jasmin Blanchette Andrei Popescu

Unified Classical Logic Completeness A Coinductive Pearl Jasmin Blanchette Andrei Popescu

Unified Classical Logic Completeness A Coinductive Pearl Jasmin Blanchette Andrei Popescu Dmitriy Traytel Isabelle H O L = All too often, proof-theoretic methods are neglected in favor of shorter, and superficially

750 views • 52 slides
On the Limitations of Provenance for Queries With Difference Yael Amsterdamer Tel Aviv

On the Limitations of Provenance for Queries With Difference Yael Amsterdamer Tel Aviv

On the Limitations of Provenance for Queries With Difference Yael Amsterdamer Tel Aviv University and INRIA Daniel Deutch Ben Gurion University and INRIA Val Tannen University of Pennsylvania TaPP 2011 Starting

496 views • 13 slides
Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems Nonlinear Control Lecture # 8

Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems Nonlinear Control Lecture # 8

Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems Time-varying Systems x = f ( t, x ) f ( t, x ) is piecewise continuous in t and locally Lipschitz in x for all

557 views • 16 slides
Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query, the query op)mizer tries to figure out the order of opera)ons that will make the

550 views • 23 slides
Reinforcement Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield

Reinforcement Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield

Reinforcement Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield of AI concerned with learning from data . Broadly, using: Experience To Improve Performance On Some Task (Tom Mitchell, 1997) vs ML

629 views • 35 slides
Discrete-Event Systems and Generalized Semi-Markov Processes Reading: Section 1.4 in Shedler or

Discrete-Event Systems and Generalized Semi-Markov Processes Reading: Section 1.4 in Shedler or

Discrete-Event Systems and Generalized Semi-Markov Processes Reading: Section 1.4 in Shedler or Section 4.1 in Haas Peter J. Haas CS 590M: Simulation Spring Semester 2020 1 / 27 Discrete-Event Systems and Generalized Semi-Markov Processes

285 views • 27 slides
GradientDICE: Rethinking Generalized Offline Estimation of Stationary Values Shangtong Zhang 1 ,

GradientDICE: Rethinking Generalized Offline Estimation of Stationary Values Shangtong Zhang 1 ,

GradientDICE: Rethinking Generalized Offline Estimation of Stationary Values Shangtong Zhang 1 , Bo Liu 2 , Shimon Whiteson 1 1 University of Oxford 2 Auburn University Preview O ff -policy evaluation with density ratio learning Use the

495 views • 15 slides

More recommend