Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran - - PowerPoint PPT Presentation

1

Adaptively Secure Succinct Garbled RAM with Persistent Memory

Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10, 2016

2

: June 11, 2016, Boston, heavy snow.

3

: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring.

4

: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring.

Alice

5

: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. : Instead of submitting to STOC, she thinks it’s cool to write a program and show off to her friends.

6

> Factoring.hs RSA2048

7

> Factoring.hs RSA2048 Running time 7 hrs 34 mins 25195908475…20720357 = 83990...4079279 x 3091701...723883 Next question

8

: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party.

9

: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party. : So she turns to cloud, but clouds are big brothers

10

: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party. : So she turns to cloud, but clouds are big brothers : She heard that one can delegate the computation in a way that the server learns only the output of the computation but nothing else

11

“My friends and NSA will be shocked by the runtime without learning anything other than the output”

12

“The algorithm has huge preprocessing, stores lots of non- zero points on the Zeta function ...” “My friends and NSA will be shocked by the runtime without learning anything other than the output”

13

“The algorithm has huge preprocessing, stores lots of non- zero points on the Zeta function ...” “My friends and NSA will be shocked by the runtime without learning anything other than the output” “Wait ... the audiences already know too much.”

14

> sudo apt-get install FHE

15

> sudo apt-get install FHE > FHE Factoring.hs

16

> sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits ...

17

> sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits ... ^C

18

> sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits ... ^C > > sudo apt-get install Yao > Yao Factoring.hs

19

> sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits ... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits ...

#Yao

20

> sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits ... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits ... ^C^C^C^C^C^C^C >

21

> sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs

22

> sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n)

23

> sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n) n >

24

> sudo apt-get install PRAM

25

> sudo apt-get install PRAM > PRAM Factoring.hs

26

> sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring

27

> sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048

28

> sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user’s own risk, continue (y) or not (n)

29

> sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user’s own risk, continue (y) or not (n) n

30

“Don’t turn into circuits, don’t blow up too much” “Adaptively pick integers” “Huge amount of preprocessed data reusable”

31

Garbling/randomized encoding for RAM with persistent memory

32

Garbling/randomized encoding for RAM with persistent memory msk Gen =>

33

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0)

34

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0) P1 msk + => G(P1)

35

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0) P1 msk + => G(P1) G(P1) Eval G(D0) => P1(D0)

36

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0) P1 msk + => G(P1) G(P1) Eval G(D0) => G(D1) P1(D0) Persistency

37

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0) P1 msk + => G(P1) G(P1) Eval G(D0) => G(D1) P1(D0) P2 msk + => G(P2) Persistency

38

Garbling/randomized encoding for RAM with persistent memory D0 msk Gen => msk + => G(D0) P1 msk + => G(P1) G(P1) Eval G(D0) => G(D1) P1(D0) P2 msk + => G(P2) G(P2) Eval G(D1) => G(D2) P2(D1) ... Persistency

39

Garbling/randomized encoding for RAM with persistent memory D0 G(D0) P1 G(P1) Succinct

40

Garbling/randomized encoding for RAM with persistent memory ? ? P1(D0) Adaptively simulation secure

41

Garbling/randomized encoding for RAM with persistent memory ? => G(D0) ? => G(P1) G(P1) G(D0) <= G(D1) P1(D0) Adaptively simulation secure

42

Garbling/randomized encoding for RAM with persistent memory ? => G(D0) ? => G(P1) G(P1) G(D0) <= G(D1) P1(D0) ? G(D1) P2(D1) Adaptively simulation secure

43

Garbling/randomized encoding for RAM with persistent memory ? => G(D0) ? => G(P1) G(P1) G(D0) <= G(D1) P1(D0) ? => G(P2) G(P2) G(D1) <= G(D2) P2(D1) Adaptively simulation secure

44

Theorem

45

[Main Theorem] Adaptively secure succinct garbled RAM with persistent memory from indistinguishability obfuscation for circuits, and poly-to-1 collision-resistant hash function.

46

Starring

47

Indistinguishability Obfuscator

48

iO[ F0 ] ≈ iO[ F1 ]

if F0 and F1 have identical functionality Indistinguishability Obfuscator for circuits Candidate constructions:

[Garg-Gentry-Halevi-Raykova-Sahai-Waters ‘13], [Barak-Garg-Kalai-Paneth-Sahai ‘14], [Brakerski-Rothblum ‘14], [Pass-Seth-Telang ‘14], [Zimmerman ‘15], [Applebaum-Brakerski ‘15], [Ananth-Jain ‘15], [Bitansky-Vaikuntanathan ‘15], [Gentry-Gorbunov-Halevi ‘15], [Lin ‘16], …

Cryptanalyses:

[Cheon-Han-Lee-Ryu-Stehle ‘15], [Coron et al ‘15], [Miles-Sahai-Zhandry ‘16], ...

Defined by [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang ‘01]

Security:

49

Poly-to-one Collision Resistant Hash function

50

Poly-to-one collision resistant hash functions H is collision resistant + each image has at most poly preimages. [Thm] Exists for constant c, assuming Factoring or Discrete-log is hard.

51

The rest of the talk:

• 1. The main idea of the construction.
• 2. The technical heart: adaptively-enforceable accumulator.
• 3. Wrap up, and the easiest ways to think of our scheme.

52

Starting point: Canetti-Holmgren’s selective secure scheme.

53

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.

54

You never know how hard it is to use iO before actually play with it.

[ said Justin Holmgren, June 22, 2015, sunny ]

55

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

56

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique]

57

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state]

58

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data]

59

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram]

60

Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram]

61

Canetti-Holmgren (ITCS16)

62

Canetti-Holmgren (ITCS16) + Zoom-in the core step:

63

Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature

64

Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature

What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

65

Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature

What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

i n i t i a l i z e

G(D0)

66

Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature

What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

i n i t i a l i z e A u t h e n t i c a t e

G(D0) G(Pi+1) key

67

Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature

What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

i n i t i a l i z e A u t h e n t i c a t e update

G(D0) G(Pi+1) G(Di+1) key

68

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator

69

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.

#Merkletree

70

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.

#Merkletree

71

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.

#Merkletree

72

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.

#Merkletree

73

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.
• Enforcement (iO-friendly property):

there’s only one preimage x* of the current root value y*.

#Merkletree

y* x*

74

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.
• Enforcement (iO-friendly property):

there’s only one preimage x* of the current root value y*.

Impossible information theoretically.

#Merkletree

y* x*

75

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.
• Enforcement (iO-friendly property):

there’s only one preimage x* of the current root value y*.

Impossible information theoretically. KLW’s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->H*, H ≈ H*

#Merkletree

y* x*

76

Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator

• Normal property like a Merkle-tree.
• Enforcement (iO-friendly property):

there’s only one preimage x* of the current root value y*.

Impossible information theoretically. KLW’s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->H*, H ≈ H* Alternatively: SSB hashing => [Ananth-Chen-Chung-Lin-Lin]

#Merkletree

y* x*

77

Selective Enforcing Adaptive Enforcing

78

Selective Enforcing Adaptive Enforcing

x* <= Adversary

79

Gen( ) => H

Selective Enforcing Adaptive Enforcing

Enforcing(x*, y*) => H* x* <= Adversary

80

Gen( ) => H

Selective Enforcing Adaptive Enforcing

Enforcing(x*, y*) => H* Gen( ) => H x* <= Adversary

81

Gen( ) => H

Selective Enforcing Adaptive Enforcing

Enforcing(x*, y*) => H* Gen( ) => H x* <= Adversary(H) x* <= Adversary

82

Gen( ) => H

Selective Enforcing Adaptive Enforcing

Enforcing(x*, y*) => H* Gen( ) => H Enforcing(x*, y*) => H* x* <= Adversary(H) x* <= Adversary

83

( … wait, what?)

Gen( ) => H

Selective Enforcing Adaptive Enforcing

Enforcing(x*, y*) => H* Gen( ) => H Enforcing(x*, y*) => H* x* <= Adversary(H) x* <= Adversary

84

#Mindblowing

85

Fact I Can separate the key

86 What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

i n i t i a l i z e A u t h e n t i c a t e update

G(D0) G(Pi+1) G(Di+1) key key hk vk = +

87 What is written in eprint 2015/1074

Accumulator iO-friendly Merkle-tree

i n i t i a l i z e A u t h e n t i c a t e update

G(D0) G(Pi+1) G(Di+1) key key hk vk = + hk vk hk

88

Adaptive Enforcing hk

89

Adaptive Enforcing

x* <= Adversary( hk )

hk

90

Adaptive Enforcing

x* <= Adversary( hk )

hk vk vk*(x*)

≈

91

Fact II If you believe diO ...

92

Adaptive Enforcing key hk vk = +

93

Adaptive Enforcing key hk vk = + hk always_hk_Gen( ) -> hk := CRHF key h

94

Adaptive Enforcing

x* <= Adversary(H)

key hk vk = + hk always_hk_Gen( ) -> hk := CRHF key h

95

Adaptive Enforcing

x* <= Adversary(H)

key hk vk = + hk vk always_hk_Gen( ) -> hk := CRHF key h normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 )

96

Adaptive Enforcing

x* <= Adversary(H)

key hk vk = + hk vk vk*(x*) always_hk_Gen( ) -> hk := CRHF key h normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 ) enforce_vk_Gen( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )

≈

97

Fact III: If you don’t believe diO, can still do this with iO.

98

From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring

99

From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )

100

From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) By diO-iO equivalence lemma [ Boyle-Chung-Pass ‘14 ]: “ If f1 and f2 differ only on polynomially many input-output values, and they are hard to find, then iO(f1) ≈ iO(f2) ”

101

From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) From shrinking 1 bit to length-halving: Merkle-Damgaard.

102

Fact IV: Adaptive Enforceable Accumulator done

103

Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume iO] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram]

104

Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume iO] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from iO+dlog or factoring ]

105

Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume iO] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] Need a special property of the ORAM “Strong local randomness”, satisfied by Chung-Pass ORAM. With this property, can “guess” polynomially many addresses. + adaptively enforceable accumulator [ from iO+dlog or factoring ]

106

Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure

Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume iO] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] Need a special property of the ORAM “Strong local randomness”, satisfied by Chung-Pass ORAM. With this property, can “guess” polynomially many addresses. [Ananth-Chen-Chung-Lin-Lin, eprint 2015/1082] can be viewed as accomplishing this for all the steps. + adaptively enforceable accumulator [ from iO+dlog or factoring ] S S B h a s h [ H u b a c e k

• W

i c h s ] [ O P W W ]

107

Summary

• 1. Adaptively secure garbled RAM with persistent memory.
• 2. Everything is succinct.
• 3. Upgrading to delegation with verifiability is almost for free.
• 4. “Reusability” is natural.
• 5. New iO-friendly tool: adaptively-enforceable accumulator (from

iO+Preimage-bounded-CRHF)

108

Scenes

109

110

> sudo apt-get install GRAM_Canetti_Holmgren

111

> sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)

112

> sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n) y

113

> sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done

114

> sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA2048

115

> sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA2048 Running time 1.0s 25195908475…20720357 = 83990...4079279 x 3091701...723883 Next question