computation in cryptography
play

Computation in Cryptography Examples: Multiparty Computation (MPC) - PowerPoint PPT Presentation

Feb 15, 2024 •42 likes •382 views

Crypto for PRAM from iO ( via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou Computation in Cryptography Examples: Multiparty

  1. Crypto for PRAM from iO ( via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou

  2. Computation in Cryptography • Examples: – Multiparty Computation (MPC) – Non-interactive Zero Knowledge Proof (NIZK) – Fully Homomorphic Enc. (FHE) – Functional Encryption (FE) – Delegation with Persistent Database – Indistinguishability Obfuscation (iO) • Traditionally, modeled as circuits • Feasibility in more powerful computation model?

  3. Models of Computation • Circuits AND, OR, NOT gates Large description size Parallelizable • Turing Machines Small description size • RAM Machines Random data access • Parallel RAM … Random data access Parallelizable

  4. Efficiency Gap Problem Comp. Model Total Time Parallel Time Ω (n) Circuit Binary search (input size n) 𝑃 (log n) RAM 𝑃 (log n) Circuit Sorting Ω (nlog n) RAM Ω (n) 𝑃 (log n) Circuit Keyword search/ 𝑃 (mlog n) Ω (mlog n) RAM Range query (output size m) 𝑃 (mlog n) PRAM 𝑃 (log n)

  5. Parallel Model in Practice • Emerging frameworks to handle big data – MapReduce, GraphLab, Spark, etc. • Leverage massive parallelism & random data access – Circuit & RAM are not expressive enough • PRAM: clean & expressive model to capture efficiency (total & parallel time & space) of these frameworks

  6. Feasibility via Succinct Garbling Succinct Garbling for Model X [GHRW14,CHJV15, BGLPT15,KLW15] Functional Enc. iO NIZK Delegation MPC for X for X for X for X w/ for X Persistent DB

  7. Succinct Garbling for Model X Garb ( Π ) Π =(P,x) • Succinctness: Time( Garb( Π ) ) = poly(| Π |) • Eval Efficiency: Complexity in Model X of Eval( Garb( Π ) ) ≈ Eval( Π ) (up to polylog overhead) • Security: Π , Π ’ same complexity & output ⟹ ≈ Garb ( Π ) Garb ( Π ’ )

  8. Feasibility via Succinct Garbling iO for circuit + OWF [KLW15] Succinct Garbling for X = TM [GHRW14,CHJV15, BGLPT15,KLW15] Functional Enc. iO NIZK Delegation MPC for X for X for X for X w/ for X Persistent DB

  9. Our Contribution iO for circuit + OWF Succinct Garbling for X = PRAM [GHRW14,CHJV15, BGLPT15,KLW15] Functional Enc. iO NIZK Delegation MPC for X for X for X for X w/ for X Persistent DB

  10. Concurrent Work [CH16] iO for circuit + OWF Modular Proof Succinct Garbling for X = RAM [GHRW14,CHJV15, BGLPT15,KLW15] Functional Enc. iO NIZK Delegation MPC for X for X for X for X w/ for X Persistent DB

  11. Succinct Garbling for TM [KLW15]

  12. Abstraction of [KLW15] iO for circuit + OWF Authentication Step ST -Garbling Same-Trace Garbling for TM Hiding Step Succinct Garbling for TM

  13. Same-Trace Garbling for TM/RAM Computation Trace = Memory (initial-value), (st 1 , addr 1 , val 1 ), (st 2 , addr 2 , val 2 ), (st 3 , addr 3 , val 3 ), TM/CPU … Program P (st T-1 , addr T-1 , val T-1 ), (st T , addr T , val T ) • Security: Π , Π ’ same trace (so same inp/out, complexity) ⟹ ≈ Garb ( Π ) Garb ( Π ’ )

  14. Indistinguishability Obfuscation (iO) [BGI+12,GGH+13] • Scramble program to make it “unintelligible” 𝒫 (P) P • Maintain functionality: 𝒫 (P)(x) = P(x) ∀ x • Security: If P(x) = P’(x) ∀ x & same size ⟹ ≈ ≈ 𝒫 (P) 𝒫 (P’)

  15. Abstraction of [KLW15] iO for circuit + OWF Authentication ST-Garb(P, x) = (iO(P auth ), x auth ) Step Only generate comp. trace of P(x) ST -Garbling for TM Hiding Step Garb(P, x) = (ST-Garb(P hide , x hide )) Succinct Garbling Hide memory/CPU state content & for TM memory access pattern

  16. Authentication & Hiding in [KLW15] • Authentication step: ST-Garb(P, x) = (iO(P auth ), x auth ) – iO-friendly authentication primitives – Enable program switching step by step in hybrids P P P P P P … state 0 state 1 state 2 state T-2 state T-1 state T P’ P’ P’ P’ P’ P’

  17. Authentication & Hiding in [KLW15] • Authentication step: ST-Garb(P, x) = (iO(P auth ), x auth ) – iO-friendly authentication primitives – Enable program switching step by step in hybrids • Hiding step: Garb(P, x) = (ST-Garb(P hide , x hide )) – Hide content by encryption – Hide access pattern by Oblivious TM [PF79] – Allow erasing computation step by step in hybrids … ct dummy ct 0 ct dummy ct 1 ct dummy ct 2 ct dummy ct T-2 ct dummy ct T-1 ct dummy ct T

  18. Succinct Garbling for RAM

  19. Challenge: Hiding Access Pattern Garb(P, x) = (ST-Garb(P hide , x hide )) • Replace Oblivious TM by Oblivious RAM [GO96] • Issue: Cannot use ORAM security – ORAM is inherently randomized, security hold only when ORAM randomness is hidden • Idea: “Puncturing” ORAM

  20. Puncturing ORAM • Use tree-based ORAM [SLSC11] , which is “puncturable” – t-th step access pattern is determined by single randomness r t – if r t is punctured/erased from program, t-th step access pattern can be simulated by random • Puncturing r t – r t may appear multiple times (encrypted) in history – Carefully erase r t backward in time step by step • Modify program: “erase r t after step s ” for s = t, t- 1,…,0 … ct 0 ct 1 ct 2 ct T-2 ct T-1 ct T ct rT r T ct rT ct rT

  21. Puncturing ORAM • Use tree-based ORAM [SLSC11] , which is “puncturable” – t-th step access pattern is determined by single randomness r t – if r t is punctured/erased from program, t-th step access pattern can be simulated by random • Puncturing r t – r t may appear multiple times (encrypted) in history – Carefully erase r t backward in time step by step • Modify program: “erase r t after step s ” [CH16] : “2 tracks trick” w/ modular & simpler proof

  22. Succinct Garbling for PRAM

  23. Challenge: Authenticate Memory ST-Garb(P, x) = (iO(P auth ), x auth ) • Memory authenticated by “ Merkle tree” – root stored in CPU state – Locally updatable by given augment path • Issue: Parallel CPU ⟹ Parallel Update – Require CPU-to-CPU communication Memory … CPU 1 CPU 2 CPU m

  24. Challenge: Authenticate Memory ST-Garb(P, x) = (iO(P auth ), x auth ) • Memory authenticated by “ Merkle tree” – root stored in CPU state – Locally updatable by given augment path • Issue: Parallel CPU ⟹ Parallel Update – Require CPU-to-CPU communication • Issue: Cannot afford Ω (m) overhead in parallel time – Otherwise, void the gain of parallelism

  25. Parallel Update Problem addr 2 addr 3 addr 1 addr m addr 4 … aug-path 4 aug-path 3 aug-path 2

  26. Challenge: Authenticate Memory ST-Garb(P, x) = (iO(P auth ), x auth ) • Memory authenticated by “ Merkle tree” – root stored in CPU state – Locally updatable by given augment path • Issue: Parallel CPU ⟹ Parallel Update – Require CPU-to-CPU communication • Issue: cannot afford Ω (m) overhead in parallel time – Otherwise, void the gain of parallelism • O(log 2 m) -round parallel algorithm – Parallel update level-by-level from leaves to root

  27. Security Issue: High Pebble Complexity Put “ pebble ” on node to switch program P P P P P P … state 0 state 1 state 2 state T-2 state T-1 state T P’ P’ P’ P’ P’ P’ Put pebble on node require to hardwire input/output

  28. Security Issue: High Pebble Complexity Can use 2m pebbles to traverse graph, but not better ⇒ Need to hardwire Ω (m) information in P auth ⇒ poly(m) overhead … state 1 , 0 state 1,1 state 1,2 state 1,T-2 state 1,T-1 state 1,T … state 2 , 0 state 2,1 state 2,2 state 2,T-2 state 2,T-1 state 2,T … state 3 , 0 state 3,1 state 3,2 state 3,T-2 state 3,T-1 state 3,T … state 4 , 0 state 4,1 state 4,2 state 4,T-2 state 4,T-1 state 4,T

  29. Branch & Combine Emulation Change topology to reduce pebble complexity • Combine m CPU states to 1 combined state • Branch one step computation from it state 1,t state 1,t+1 int 1,t int 1,t+1 state 2,t state 2,t+1 … comb t comb t+1 comb t-1 state 3,t state 3,t+1 int 2,t int 2,t+1 state 4,t state 4,t+1

  30. Branch & Combine Emulation Change topology to reduce pebble complexity • Combine m CPU states to 1 combined state • Branch one step computation from it Claim: pebble complexity = O(log m) state 1,t state 1,t+1 int 1,t int 1,t+1 state 2,t state 2,t+1 … comb t comb t+1 comb t-1 state 3,t state 3,t+1 int 2,t int 2,t+1 state 4,t state 4,t+1

  31. Branch & Combine Emulation Change topology to reduce pebble complexity • Combine m CPU states to 1 combined state • Branch one step computation from it Claim: pebble complexity = O(log m) • Combine step – Build “ Merkle tree” on CPU states – Combined state = root • Branch step – Authentication & one step computation

  32. Hiding Step for PRAM Garb(P, x) = (ST-Garb(P hide , x hide )) • Replace ORAM by Oblivious PRAM [BCP16] – also puncturable

  33. Summary and Open Problems • Feasibility of crypto for PRAM based on iO via succinct garbled PRAM • Adaptive succinct garbled (Paralle) RAM with persistent memory (next talk) [ACC+15,CCHR15] • Open: FHE for RAM/PRAM? • Open: Crypto for PRAM without iO – ABE for RAM/PRAM based on LWE? • Other parallel model?

  34. Thank you! Questions? 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptography, quantum computing, and evolutionary computation Thijs Laarhoven mail@thijs.com

Cryptography, quantum computing, and evolutionary computation Thijs Laarhoven mail@thijs.com

Cryptography, quantum computing, and evolutionary computation Thijs Laarhoven mail@thijs.com http://www.thijs.com/ CFMAI 2019, Bangkok, Thailand (December 13, 2019) Cryptography History Cryptography Classical cryptography Some operations

371 views • 36 slides
Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager

Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager

Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager 2 , Joshua R. Smith 2 , and Kevin Fu 1 1 University of Massachusetts, Amherst, MA, USA, { chae, kevinfu } @cs.umass.edu 2 Intel Research Seattle,

381 views • 12 slides
Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s Garbled Circuit Recall MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure computationally The

449 views • 15 slides
Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive Corruption + Honest-Majority Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the

497 views • 20 slides
Elliptic Curves, Cryptography and Computation Victor S. Miller IDA Center for Communications

Elliptic Curves, Cryptography and Computation Victor S. Miller IDA Center for Communications

Elliptic Curves, Cryptography and Computation Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 18 Oct, 2010 Victor S. Miller (CCR) Elliptic Curve Cryptography 18 Oct, 2010 1 / 73 Victor S. Miller (CCR)

1.25k views • 73 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016 AC15: Sky Faber, S.J. , Sotirios Kentros, Boyang Wei New Work: S.J. , Boyang Wei Secure

595 views • 23 slides
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0

Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0

Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John y=E ( e,x ) y Alice Bob y ??? John Assumption The encryption

580 views • 25 slides
Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without Honest Majority: GMW Protocol MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure

465 views • 12 slides
Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i Acknowledgements Full papers: Two in Designs, Codes and Cryptography (also as preprints OWP 2012-01 at MFO) and one in Journal of Symbolic Computation.

1.14k views • 67 slides
Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive Corruption MPC: Honest-Majority + Passive-Corruption Can achieve information-theoretic security for any function Function should be given as an

573 views • 15 slides
2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1

504 views • 25 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -> C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
BART: Bayesian Additive Regression Trees Robert McCulloch McCombs School of Business University

BART: Bayesian Additive Regression Trees Robert McCulloch McCombs School of Business University

BART: Bayesian Additive Regression Trees Robert McCulloch McCombs School of Business University of Texas May 11, 2011 Joint with Hugh Chipman (Acadia University) Ed George (University of Pennsylvania) We want to fit the fundamental

427 views • 32 slides
Connections in tangent categories Geoff Cruttwell Mount Allison University (joint work with

Connections in tangent categories Geoff Cruttwell Mount Allison University (joint work with

Tangent categories Vector bundles Connections Conclusions Connections in tangent categories Geoff Cruttwell Mount Allison University (joint work with Robin Cockett) Union College Mathematics Conference Union College, October 20th, 2013

429 views • 30 slides
Computational Complexity of Bayesian Networks Johan Kwisthout and Cassio P . de Campos Radboud

Computational Complexity of Bayesian Networks Johan Kwisthout and Cassio P . de Campos Radboud

Computational Complexity of Bayesian Networks Johan Kwisthout and Cassio P . de Campos Radboud University Nijmegen / Queens University Belfast UAI, 2015 Complexity theory Many computations on Bayesian networks are NP-hard Meaning

839 views • 26 slides
n -dimensional manifold M with T := TM n -dimensional manifold M with T := TM T n -dimensional

n -dimensional manifold M with T := TM n -dimensional manifold M with T := TM T n -dimensional

n -dimensional manifold M with T := TM n -dimensional manifold M with T := TM T n -dimensional manifold M with T := TM T frame bundle GL ( R n , T ) is a principal GL ( n )-bundle n -dimensional manifold M with T := TM T + T frame bundle

1.34k views • 79 slides
Computer Graphics - Splines - Philipp Slusallek Curves Curve descriptions Explicit

Computer Graphics - Splines - Philipp Slusallek Curves Curve descriptions Explicit

Computer Graphics - Splines - Philipp Slusallek Curves Curve descriptions Explicit functions restricted domain (x [-1, 1]) y(x)= sqrt(r 2 - x 2 ), Implicit functions x 2 + y 2 = r 2 unknown solution set Parametric

931 views • 39 slides
Pre-ICANN69 GNSO Working Session 6 October 2020 | 1 Agenda 1 2 3 Review of All Rights

Pre-ICANN69 GNSO Working Session 6 October 2020 | 1 Agenda 1 2 3 Review of All Rights

Pre-ICANN69 GNSO Working Session 6 October 2020 | 1 Agenda 1 2 3 Review of All Rights Protection Mechanisms Welcome and GDS Update on Policy in All gTLDs PDP Introduction Implementation Presenters: RPM Presenter: Keith Drazek

756 views • 19 slides
Generalized diffeomorphisms acting on generalized metrics Roberto Rubio Research seminar on

Generalized diffeomorphisms acting on generalized metrics Roberto Rubio Research seminar on

Generalized diffeomorphisms acting on generalized metrics Roberto Rubio Research seminar on differential geometry 4th May 2020 Joint work with Carl Tipler The Lie group of automorphisms of a Courant algebroid and the moduli space of

611 views • 31 slides
A Coh{; hvou s of f i etol t tne and C*<QebvaS ou?o;d tahgca* frv {o, jv. eait'olls

A Coh{; hvou s of f i etol t tne and C*<QebvaS ou?o;d tahgca* frv {o, jv. eait'olls

A Coh{; hvou s of f i etol t tne and C*<QebvaS ou?o;d tahgca* frv {o, jv. eait'olls bovnolenJ W;tll E S.f'r&re I oi,n{ Wovk w;+ h ?. lVcst . anql floti vatiou' : A3g r -?to{ i< ps eade ol;ffaad{ i at T evatar s|

362 views • 14 slides

More recommend