. Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. - - PowerPoint PPT Presentation
Secure Computation with Sublinear Cost Mike Rosulek . Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . . . . . f x y f x y Examples: Run proprietary classifier x on private data y Evaluate
.
Mike Rosulek
Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel
. .. .. .. .. .. .. .. .
.
. . x . y . f x y . f x y . Examples: Run proprietary classifier x on private data y Evaluate statistics on combined medical records x & y . .. .. .. .. .. .. .. .
.
. . x . y . f x y . f x y . Examples: Run proprietary classifier x on private data y Evaluate statistics on combined medical records x & y . .. .. .. .. .. .. .. .
.
. . x . y . f(x, y) . f(x, y) . Examples: Run proprietary classifier x on private data y Evaluate statistics on combined medical records x & y . .. .. .. .. .. .. .. .
.
. . . x . y . f(x, y) . f x y . Examples: Run proprietary classifier x on private data y Evaluate statistics on combined medical records x & y . .. .. .. .. .. .. .. .
.
. . . x . y . f(x, y) . f x y . Examples:
▶ Run proprietary classifier x on private data y ▶ Evaluate statistics on combined medical records x & y ▶ · · ·
. . .. .. .. .. .. .. .. .
.
. . . . y .
protocol never touches these
.
f x y doesn’t depend on these bits of y
. y . . x . f x y Example: y genetic database x DNA markers f x y diagnosis in general, security demands that all of the data is touched . . .. .. .. .. .. .. .. .
.
. . . . y .
protocol never touches these
.
f x y doesn’t depend on these bits of y
. y . x . f(x, y) Example: y genetic database x DNA markers f x y diagnosis in general, security demands that all of the data is touched . . .. .. .. .. .. .. .. .
.
. . . y .
protocol never touches these
.
f(x, y) doesn’t depend on these bits of y
. y . x . f(x, y) Example:
▶ y = genetic database ▶ x = DNA markers ▶ f(x, y) = diagnosis
in general, security demands that all of the data is touched . . .. .. .. .. .. .. .. .
.
. . . y .
protocol never touches these
.
f(x, y) doesn’t depend on these bits of y
. y . x . f(x, y) Example:
▶ y = genetic database ▶ x = DNA markers ▶ f(x, y) = diagnosis
⇒ in general, security demands that all of the data is touched
. . .. .. .. .. .. .. .. .
.
. .
. . .. .. .. .. .. .. .. .
.
.
. . .. .. .. .. .. .. .. .
.
.
. . .. .. .. .. .. .. .. .
.
. .
. . .. .. .. .. .. .. .. .
.
Security requires protocol cost at least linear in size of in- puts (in general!)
General-purpose 2PC scales with size of circuit representa- tion, which is always at least linear in input size. . . .. .. .. .. .. .. .. .
.
Security requires protocol cost at least linear in size of in- puts (in general!)
General-purpose 2PC scales with size of circuit representa- tion, which is always at least linear in input size. . .. .. .. .. .. .. .. .
.
Instead of circuits, use a representation that can actually be sublinear in size.
Protocol must “touch every bit”, but amortize this cost across many executions. . . .. .. .. .. .. .. .. .
.
Instead of circuits, use a representation that can actually be sublinear in size.
Protocol must “touch every bit”, but amortize this cost across many executions. . . .. .. .. .. .. .. .. .
.
. . cpu .
small internal state
. memory .
read,
.
M
.
read,
.
M
.
write, , x
.
.
M x
RAM program need not touch every bit of memory. . . .. .. .. .. .. .. .. .
.
. . cpu .
small internal state
. memory .
read, ℓ1
.
M[ℓ1]
.
read,
.
M
.
write, , x
.
.
M x
RAM program need not touch every bit of memory. . . .. .. .. .. .. .. .. .
.
. . cpu .
small internal state
. memory .
read, ℓ1
.
M[ℓ1]
.
read, ℓ2
.
M[ℓ2]
.
write, , x
.
.
M x
RAM program need not touch every bit of memory. . . .. .. .. .. .. .. .. .
.
. . cpu .
small internal state
. memory .
read, ℓ1
.
M[ℓ1]
.
read, ℓ2
.
M[ℓ2]
.
write, ℓ3, x
.
.
M[ℓ3] ← x
RAM program need not touch every bit of memory. . . .. .. .. .. .. .. .. .
.
. . cpu .
small internal state
. memory .
read, ℓ1
.
M[ℓ1]
.
read, ℓ2
.
M[ℓ2]
.
write, ℓ3, x
.
.
M[ℓ3] ← x
RAM program need not touch every bit of memory. . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory
Imagine they could evaluate CPU-next-instruction function Use (traditional) 2PC protocol to realize CPU-next-instruction Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function
Use (traditional) 2PC protocol to realize CPU-next-instruction Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . cpu .
CPU state
.
CPU state
.
new state, read ℓ
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function
Use (traditional) 2PC protocol to realize CPU-next-instruction Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M[ℓ]
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function
Use (traditional) 2PC protocol to realize CPU-next-instruction Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function ▶ Use (traditional) 2PC protocol to realize CPU-next-instruction
Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function ▶ Use (traditional) 2PC protocol to realize CPU-next-instruction
Cost = (size of next-instruction function) (number of instructions) . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
CPU state
.
new state, read
.
new state, M
.
new state
Basic outline:
▶ Imagine both parties’ inputs stored in large memory ▶ Imagine they could evaluate CPU-next-instruction function ▶ Use (traditional) 2PC protocol to realize CPU-next-instruction
Cost = (size of next-instruction function) × (number of instructions) . . .. .. .. .. .. .. .. .
.
. memory . . cpu . E cpu .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read
.
M
Internal state is public Secret-share the state! Calvin sees all of the memory Encrypt the memory, augment CPU-next-instruction with encryption/decryption. Memory access pattern (read , write , ) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . cpu . E cpu .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read
.
M
Internal state is public Secret-share the state! Calvin sees all of the memory Encrypt the memory, augment CPU-next-instruction with encryption/decryption. Memory access pattern (read , write , ) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . cpu . E cpu .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read
.
M
Internal state is public
⇒ Secret-share the state! ✓
Calvin sees all of the memory Encrypt the memory, augment CPU-next-instruction with encryption/decryption. Memory access pattern (read , write , ) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . cpu . E cpu .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read
.
M
Internal state is public
⇒ Secret-share the state! ✓
Calvin sees all of the memory Encrypt the memory, augment CPU-next-instruction with encryption/decryption. Memory access pattern (read , write , ) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . . cpu . E(cpu) .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read
.
M
Internal state is public
⇒ Secret-share the state! ✓
Calvin sees all of the memory
⇒ Encrypt the memory, augment CPU-next-instruction with
encryption/decryption. ✓ Memory access pattern (read , write , ) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . . cpu . E(cpu) .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read ℓ
.
M
Internal state is public
⇒ Secret-share the state! ✓
Calvin sees all of the memory
⇒ Encrypt the memory, augment CPU-next-instruction with
encryption/decryption. ✓ Memory access pattern (read ℓ1, write ℓ2, . . .) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
. memory . . . cpu . E(cpu) .
CPU state
.
CPU state
.
new state
.
share of state
.
share of state
.
share of new state
.
share of new state
.
read ℓ
.
M[ℓ]
Internal state is public
⇒ Secret-share the state! ✓
Calvin sees all of the memory
⇒ Encrypt the memory, augment CPU-next-instruction with
encryption/decryption. ✓ Memory access pattern (read ℓ1, write ℓ2, . . .) public! ??? Calvin must learn these so he knows what to do! . . .. .. .. .. .. .. .. .
.
Oblivious RAM (ORAM) = memory access pattern leaks nothing about inputs/outputs/state [GoldreichOstrosvky96]
▶ Can convert any RAM program to ORAM, polylog overhead in runtime
& memory [ShiChanStefanovLi11, .....] . memory . .
.
RAM-2PC paradigm [GKKKMRV12]
. . “Use traditional 2PC to repeatedly evaluate next-instruction circuit of an
. . .. .. .. .. .. .. .. .
.
Oblivious RAM (ORAM) = memory access pattern leaks nothing about inputs/outputs/state [GoldreichOstrosvky96]
▶ Can convert any RAM program to ORAM, polylog overhead in runtime
& memory [ShiChanStefanovLi11, .....] . memory . .
.
RAM-2PC paradigm [GKKKMRV12]
. . “Use traditional 2PC to repeatedly evaluate next-instruction circuit of an
. .. .. .. .. .. .. .. .
.
If original RAM program is sublinear, ORAM version is sublinear too!
. . memory . . .
. ORAM encode .
.
touch every bit
.
sublinear
. . .. .. .. .. .. .. .. .
.
If original RAM program is sublinear, ORAM version is sublinear too!
. . . only after memory is initialized into proper data structure!
. . memory . . .
. ORAM encode .
.
touch every bit
.
sublinear
. . .. .. .. .. .. .. .. .
.
If original RAM program is sublinear, ORAM version is sublinear too!
. . . only after memory is initialized into proper data structure!
. . memory . . .
. ORAM encode .
.
touch every bit
.
sublinear
. . .. .. .. .. .. .. .. .
.
If original RAM program is sublinear, ORAM version is sublinear too!
. . . only after memory is initialized into proper data structure!
. . memory . . .
. ORAM encode .
.
.
touch every bit
.
.
sublinear
. . .. .. .. .. .. .. .. .
.
ORAM memory can be reused indefinitely . . memory . ORAM encode .
.
.
· · ·
.
.
touch every bit
.
{
.
sublinear
.
{
.
sublinear
. . .. .. .. .. .. .. .. .
.
.
RAM-2PC paradigm [GKKKMRV12]
. . “Use traditional 2PC to repeatedly evaluate next-instruction circuit of an
▶ Expensive O(N) initialization phase ▶ Subsequent computations cost
O(T), where T = ORAM running time.
▶ [GKKKMRV12]: semi-honest security ▶ [AfsharHuMohasselR15]: malicious security ▶ [HuMohasselR15]: malicious security, one-sided privacy
. . .. .. .. .. .. .. .. .
.
. . . A A . B B . C C . D D . E E . F F . G G . H H . I I .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA
B
E EncA
B
E EncA
B
E EncA
B
E
.
EncA
B
F EncA
B
F EncA
B
F EncA
B
F
.
EncC
D
G EncC
D
G EncC
D
G EncC
D
G
.
EncF
G
H EncF
G
H EncF
G
H EncF
G
H
.
EncE
H
I EncE
H
I EncE
H
I EncE
H
I
Garbling a circuit: Pick random labels W W on each wire “Encrypt” truth table of each gate Garbled circuit all encrypted gates Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . . A A . B B . C C . D D . E E . F F . G G . H H . I I .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA
B
E EncA
B
E EncA
B
E EncA
B
E
.
EncA
B
F EncA
B
F EncA
B
F EncA
B
F
.
EncC
D
G EncC
D
G EncC
D
G EncC
D
G
.
EncF
G
H EncF
G
H EncF
G
H EncF
G
H
.
EncE
H
I EncE
H
I EncE
H
I EncE
H
I
Garbling a circuit: Pick random labels W W on each wire “Encrypt” truth table of each gate Garbled circuit all encrypted gates Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA
B
E EncA
B
E EncA
B
E EncA
B
E
.
EncA
B
F EncA
B
F EncA
B
F EncA
B
F
.
EncC
D
G EncC
D
G EncC
D
G EncC
D
G
.
EncF
G
H EncF
G
H EncF
G
H EncF
G
H
.
EncE
H
I EncE
H
I EncE
H
I EncE
H
I
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire
“Encrypt” truth table of each gate Garbled circuit all encrypted gates Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A0 B0 E0 A0 B1 E1 A1 B0 E0 A1 B1 E0
.
A0 B0 F0 A0 B1 F1 A1 B0 F1 A1 B1 F0
.
C0 D0 G0 C0 D1 G1 C1 D0 G0 C1 D1 G0
.
F0 G0 H0 F0 G1 H1 F1 G0 H0 F1 G1 H0
.
E0 H0 I0 E0 H1 I1 E1 H0 I1 E1 H1 I1
.
EncA
B
E EncA
B
E EncA
B
E EncA
B
E
.
EncA
B
F EncA
B
F EncA
B
F EncA
B
F
.
EncC
D
G EncC
D
G EncC
D
G EncC
D
G
.
EncF
G
H EncF
G
H EncF
G
H EncF
G
H
.
EncE
H
I EncE
H
I EncE
H
I EncE
H
I
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire
“Encrypt” truth table of each gate Garbled circuit all encrypted gates Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate
Garbled circuit all encrypted gates Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates
Garbled encoding
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation: Only one ciphertext per gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation:
▶ Only one ciphertext per
gate is decryptable Result of decryption = value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation:
▶ Only one ciphertext per
gate is decryptable
▶ Result of decryption =
value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation:
▶ Only one ciphertext per
gate is decryptable
▶ Result of decryption =
value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation:
▶ Only one ciphertext per
gate is decryptable
▶ Result of decryption =
value on outgoing wire . . .. .. .. .. .. .. .. .
.
. . A0, A1 . B0, B1 . C0, C1 . D0, D1 . E0, E1 . F0, F1 . G0, G1 . H0, H1 . I0, I1 .
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 0 1 1 0
.
0 0 0 0 1 1 1 0 1 1 1 1
.
A B E A B E A B E A B E
.
A B F A B F A B F A B F
.
C D G C D G C D G C D G
.
F G H F G H F G H F G H
.
E H I E H I E H I E H I
.
EncA0,B0(E0) EncA0,B1(E1) EncA1,B0(E0) EncA1,B1(E0)
.
EncA0,B0(F0) EncA0,B1(F1) EncA1,B0(F1) EncA1,B1(F0)
.
EncC0,D0(G0) EncC0,D1(G1) EncC1,D0(G0) EncC1,D1(G0)
.
EncF0,G0(H0) EncF0,G1(H1) EncF1,G0(H0) EncF1,G1(H0)
.
EncE0,H0(I0) EncE0,H1(I1) EncE1,H0(I1) EncE1,H1(I1)
Garbling a circuit:
▶ Pick random labels W0, W1 on each wire ▶ “Encrypt” truth table of each gate ▶ Garbled circuit ≡ all encrypted gates ▶ Garbled encoding ≡ one label per wire
Garbled evaluation:
▶ Only one ciphertext per
gate is decryptable
▶ Result of decryption =
value on outgoing wire . . .. .. .. .. .. .. .. .
.
. x . y . garbled circuit f . x . OT . input . wire labels . y . y . f x y . . .. .. .. .. .. .. .. .
.
. x . y . garbled circuit f .
x
. OT . input . wire labels . y . y . f x y . . .. .. .. .. .. .. .. .
.
. x . y . garbled circuit f .
x
. OT . input . wire labels . y .
y
. f x y . . .. .. .. .. .. .. .. .
.
. x . y . garbled circuit f .
x
. OT . input . wire labels . y .
y
.
f(x, y)
. . .. .. .. .. .. .. .. .
.
. . memory . . . . cpu .
CPU state
.
read
.
M
.
junk
Corrupt party can mess up computation by: Providing wrong (share of) CPU state Providing wrong memory contents . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
read
.
M
.
junk
Corrupt party can mess up computation by:
▶ Providing wrong (share of) CPU state
Providing wrong memory contents . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
read ℓ
.
M[ℓ]
.
junk
Corrupt party can mess up computation by:
▶ Providing wrong (share of) CPU state
Providing wrong memory contents . . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
read ℓ
.
M
.
junk
Corrupt party can mess up computation by:
▶ Providing wrong (share of) CPU state ▶ Providing wrong memory contents
. . .. .. .. .. .. .. .. .
.
. . memory . . . cpu .
CPU state
.
read ℓ
.
M
.
junk
Corrupt party can mess up computation by:
▶ Providing wrong (share of) CPU state ▶ Providing wrong memory contents
. . .. .. .. .. .. .. .. .
.
Idea: represent state/memory [re]using garbled encodings! . . W0, W1
▶ Privacy: Given Wb, can’t guess b ▶ Authenticity: Given Wb, can’t guess W1−b
Benefits: CPU next-instruction circuit doesn’t need to encrypt/decrypt (garbled encoding already hides the information) CPU next-instruction circuit doesn’ need to secret-share CPU state . . .. .. .. .. .. .. .. .
.
Idea: represent state/memory [re]using garbled encodings! . . W0, W1
▶ Privacy: Given Wb, can’t guess b ▶ Authenticity: Given Wb, can’t guess W1−b
Benefits:
▶ CPU next-instruction circuit doesn’t need to encrypt/decrypt (garbled
encoding already hides the information)
▶ CPU next-instruction circuit doesn’ need to secret-share CPU state
. . .. .. .. .. .. .. .. .
.
. . garbled CPU . t . garbled CPU . data in . data out . t . garbled CPU . t . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. garbled CPU . t − 1 . garbled CPU . data in . data out . t . garbled CPU . t + 1 . state out . state in . state . state out . state in . state . mem access . mem access . (write, addr) . (read, addr) . data out . data in . data Must know ORAM access pattern to choose appropriate garbled encoding for next circuit. (Contrast with naively converting ORAM to circuit) . . .. .. .. .. .. .. .. .
.
. .
M
.
state
. M . state .
state instr M
.
CPU state M
. . .
garbled CPU circuit
.
CPU instruction
▶ Memory and state encoded with garbled encoding.
Susie garbles circuit with input encoding matching previous output encoding Only valid input Calvin can provide is previous circuit’s output. . . .. .. .. .. .. .. .. .
.
. .
M
.
state
. M . state .
state instr M
.
CPU state M
. .
garbled CPU circuit
.
CPU instruction
▶ Memory and state encoded with garbled encoding. ▶ Susie garbles circuit with input encoding matching previous output
encoding Only valid input Calvin can provide is previous circuit’s output. . . .. .. .. .. .. .. .. .
.
. .
M
.
state
. M . state .
(state′, instr, M′[ℓ′])
.
← CPU(state, M[ℓ])
. .
garbled CPU circuit
.
CPU instruction
▶ Memory and state encoded with garbled encoding. ▶ Susie garbles circuit with input encoding matching previous output
encoding
▶ Only valid input Calvin can provide is previous circuit’s output.
. . .. .. .. .. .. .. .. .
.
. . M . state .
M′
.
state′
.
(state′, instr, M′[ℓ′])
.
← CPU(state, M[ℓ])
. .
garbled CPU circuit
.
CPU instruction
▶ Memory and state encoded with garbled encoding. ▶ Susie garbles circuit with input encoding matching previous output
encoding
▶ Only valid input Calvin can provide is previous circuit’s output.
. . .. .. .. .. .. .. .. .
.
. . M . state .
M′
.
state′
.
state instr M
.
CPU state M
. .
garbled CPU circuit
.
CPU instruction
▶ Memory and state encoded with garbled encoding. ▶ Susie garbles circuit with input encoding matching previous output
encoding
▶ Only valid input Calvin can provide is previous circuit’s output.
. . .. .. .. .. .. .. .. .
.
.
garbled CPU circuit
.
CPU instruction
.
some other circuit
.
some unauthorized info
Main challenge: malicious garbler generates invalid garbled circuits. . .. .. .. .. .. .. .. .
.
. .
garbled CPU circuit
.
CPU instruction
.
some other circuit
.
some unauthorized info
Main challenge: malicious garbler generates invalid garbled circuits. . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . t . t . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . t . t . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . t . t . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . t . t + 1 . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . GC . GC . GC . GC . GC . GC . . GC . GC . GC . GC . GC . GC . . . t . t + 1 . t + 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. t . t + 1 . t + 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire ⇒ check correct behavior . eval-threads: receiver gets one garbled encoding learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . #1 . #2 . #3 . #4 . #5 . #6 . #7 . #8 . #9 . #10 .
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. GC . GC . GC . GC . GC . GC .
.
.
.
.
.
. t . t + 1 . t + 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . establish many threads of computation . receiver secretly sets each thread to “check” or “eval” . sender generates garbled circuits, reusing wire labels within each thread . check-threads: receiver gets both labels per wire check correct behavior . eval-threads: receiver gets one garbled encoding ⇒ learns only prescribed outputs . . .. .. .. .. .. .. .. .
.
. . M . . Setting:
▶ M is Calvin’s secret input; expensive ORAM initialization commits him
to M
▶ Repeatedly run public ORAM program on M ▶ Example: M = user database; check for membership
In this case we can avoid cut & choose, avoid high interaction! . . .. .. .. .. .. .. .. .
.
. . M . . Setting:
▶ M is Calvin’s secret input; expensive ORAM initialization commits him
to M
▶ Repeatedly run public ORAM program on M ▶ Example: M = user database; check for membership
In this case we can avoid cut & choose, avoid high interaction! . . .. .. .. .. .. .. .. .
.
. . M . .
ORAM access pattern
.
small garbled circuit for f
.
commit to garbled output
.
.
▶ Calvin knows all inputs, can run ORAM in his head
Knowing ORAM access pattern, can convert to small circuit Calvin can evaluate garbled circuit Susie can open garbled circuit (no secrets to hide!) Calvin opens committed output knowing GC was correctly generated . . .. .. .. .. .. .. .. .
.
. . M . .
ORAM access pattern
.
small garbled circuit for f
.
commit to garbled output
.
.
▶ Calvin knows all inputs, can run ORAM in his head ▶ Knowing ORAM access pattern, can convert to small circuit
Calvin can evaluate garbled circuit Susie can open garbled circuit (no secrets to hide!) Calvin opens committed output knowing GC was correctly generated . . .. .. .. .. .. .. .. .
.
. . M . .
ORAM access pattern
.
small garbled circuit for f
.
commit to garbled output
.
.
▶ Calvin knows all inputs, can run ORAM in his head ▶ Knowing ORAM access pattern, can convert to small circuit ▶ Calvin can evaluate garbled circuit
Susie can open garbled circuit (no secrets to hide!) Calvin opens committed output knowing GC was correctly generated . . .. .. .. .. .. .. .. .
.
. . M . .
ORAM access pattern
.
small garbled circuit for f
.
commit to garbled output
.
.
▶ Calvin knows all inputs, can run ORAM in his head ▶ Knowing ORAM access pattern, can convert to small circuit ▶ Calvin can evaluate garbled circuit ▶ Susie can open garbled circuit (no secrets to hide!)
Calvin opens committed output knowing GC was correctly generated . . .. .. .. .. .. .. .. .
.
. . M . .
ORAM access pattern
.
small garbled circuit for f
.
commit to garbled output
.
.
▶ Calvin knows all inputs, can run ORAM in his head ▶ Knowing ORAM access pattern, can convert to small circuit ▶ Calvin can evaluate garbled circuit ▶ Susie can open garbled circuit (no secrets to hide!) ▶ Calvin opens committed output knowing GC was correctly generated
. . .. .. .. .. .. .. .. .
.
RAM-based 2PC can provide sublinear cost in amortized sense, using practical 2PC techniques
▶ [GKKKRV12] = general paradigm, semi-honest security ▶ [AHMR15] = malicious security ▶ [HMR15] = malicious security with one-sided secrets; no
cut-and-choose, constant rounds Challenges:
▶ Expensive pre-processing (ORAM initialization): communication &
computation
▶ Applying pre-processing to multiple users? ▶ For which computations must we “touch every bit?”
. . .. .. .. .. .. .. .. .
.
RAM-based 2PC can provide sublinear cost in amortized sense, using practical 2PC techniques
▶ [GKKKRV12] = general paradigm, semi-honest security ▶ [AHMR15] = malicious security ▶ [HMR15] = malicious security with one-sided secrets; no
cut-and-choose, constant rounds Challenges:
▶ Expensive pre-processing (ORAM initialization): communication &
computation
▶ Applying pre-processing to multiple users? ▶ For which computations must we “touch every bit?”
. . .. .. .. .. .. .. .. .