Computation in Cryptography Examples: Multiparty Computation (MPC) - - PowerPoint PPT Presentation

computation in cryptography
SMART_READER_LITE
LIVE PREVIEW

Computation in Cryptography Examples: Multiparty Computation (MPC) - - PowerPoint PPT Presentation

Feb 15, 2024 42 likes •382 views

Crypto for PRAM from iO ( via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou Computation in Cryptography Examples: Multiparty

slide-1
SLIDE 1

Crypto for PRAM from iO (via Succinct Garbled PRAM)

Kai-Min Chung Academia Sinica, Taiwan

Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou

slide-2
SLIDE 2

Computation in Cryptography

  • Examples:

– Multiparty Computation (MPC) – Non-interactive Zero Knowledge Proof (NIZK) – Fully Homomorphic Enc. (FHE) – Functional Encryption (FE) – Delegation with Persistent Database – Indistinguishability Obfuscation (iO)

  • Traditionally, modeled as circuits
  • Feasibility in more powerful computation model?
slide-3
SLIDE 3

Models of Computation

  • Circuits
  • Turing Machines
  • RAM Machines
  • Parallel RAM

AND, OR, NOT gates …

Large description size Parallelizable Small description size Random data access Random data access Parallelizable

slide-4
SLIDE 4

Efficiency Gap

Problem

  • Comp. Model

Total Time Parallel Time

Binary search (input size n) Sorting Keyword search/ Range query (output size m) PRAM Circuit RAM Circuit RAM Circuit RAM Ω (n) 𝑃(log n) 𝑃(log n) Ω (nlog n) Ω (n) 𝑃(log n) 𝑃(mlog n) Ω(mlog n) 𝑃(mlog n) 𝑃(log n)

slide-5
SLIDE 5

Parallel Model in Practice

  • Emerging frameworks to handle big data

– MapReduce, GraphLab, Spark, etc.

  • Leverage massive parallelism & random data access

– Circuit & RAM are not expressive enough

  • PRAM: clean & expressive model to capture efficiency

(total & parallel time & space) of these frameworks

slide-6
SLIDE 6

Feasibility via Succinct Garbling

Succinct Garbling for Model X Delegation for X w/ Persistent DB Functional Enc. for X NIZK for X MPC for X iO for X

[GHRW14,CHJV15, BGLPT15,KLW15]

slide-7
SLIDE 7

Succinct Garbling for Model X

  • Succinctness: Time( Garb(Π) ) = poly(|Π|)
  • Eval Efficiency: Complexity in Model X of

Eval( Garb(Π) ) ≈ Eval(Π) (up to polylog overhead)

  • Security: Π, Π’ same complexity & output ⟹

Π=(P,x) Garb(Π) Garb(Π) Garb(Π’)

slide-8
SLIDE 8

Feasibility via Succinct Garbling

Succinct Garbling for X = TM Delegation for X w/ Persistent DB Functional Enc. for X NIZK for X MPC for X iO for X

[GHRW14,CHJV15, BGLPT15,KLW15]

iO for circuit + OWF

[KLW15]

slide-9
SLIDE 9

Our Contribution

Succinct Garbling for X = PRAM Delegation for X w/ Persistent DB Functional Enc. for X NIZK for X MPC for X iO for X

[GHRW14,CHJV15, BGLPT15,KLW15]

iO for circuit + OWF

slide-10
SLIDE 10

Concurrent Work [CH16]

Succinct Garbling for X = RAM Delegation for X w/ Persistent DB Functional Enc. for X NIZK for X MPC for X iO for X

[GHRW14,CHJV15, BGLPT15,KLW15]

iO for circuit + OWF

Modular Proof

slide-11
SLIDE 11

Succinct Garbling for TM [KLW15]

slide-12
SLIDE 12

Abstraction of [KLW15]

ST

  • Garbling

for TM iO for circuit + OWF Succinct Garbling for TM

Authentication Step Hiding Step

Same-Trace Garbling

slide-13
SLIDE 13

Same-Trace Garbling for TM/RAM

Garb(Π) Garb(Π’)

  • Security: Π, Π’ same trace (so same inp/out, complexity) ⟹

TM/CPU Program P Memory

Computation Trace =

(initial-value), (st1, addr1, val1), (st2, addr2, val2), (st3, addr3, val3), … (stT-1, addrT-1, valT-1), (stT, addrT, valT)

slide-14
SLIDE 14

Indistinguishability Obfuscation (iO)

  • Scramble program to make it “unintelligible”
  • Maintain functionality: 𝒫(P)(x) = P(x) ∀ x
  • Security: If P(x) = P’(x) ∀ x & same size ⟹

P 𝒫(P)

[BGI+12,GGH+13]

𝒫(P’) 𝒫(P)

≈ ≈

slide-15
SLIDE 15

Abstraction of [KLW15]

ST

  • Garbling

for TM iO for circuit + OWF Succinct Garbling for TM

Authentication Step Hiding Step

ST-Garb(P, x) = (iO(Pauth), xauth) Garb(P, x) = (ST-Garb(Phide, xhide))

Only generate comp. trace of P(x) Hide memory/CPU state content & memory access pattern

slide-16
SLIDE 16

Authentication & Hiding in [KLW15]

  • Authentication step: ST-Garb(P, x) = (iO(Pauth), xauth)

– iO-friendly authentication primitives – Enable program switching step by step in hybrids

state0 state1 state2 stateT-2 stateT-1 stateT

P P P P P P P’ P’ P’ P’ P’ P’

slide-17
SLIDE 17

Authentication & Hiding in [KLW15]

  • Authentication step: ST-Garb(P, x) = (iO(Pauth), xauth)

– iO-friendly authentication primitives – Enable program switching step by step in hybrids

  • Hiding step: Garb(P, x) = (ST-Garb(Phide, xhide))

– Hide content by encryption – Hide access pattern by Oblivious TM [PF79] – Allow erasing computation step by step in hybrids

ct0 ct1 ct2 ctT-2 ctT-1 ctT

ctdummy ctdummy ctdummy ctdummy ctdummy ctdummy

slide-18
SLIDE 18

Succinct Garbling for RAM

slide-19
SLIDE 19

Challenge: Hiding Access Pattern

  • Replace Oblivious TM by Oblivious RAM [GO96]
  • Issue: Cannot use ORAM security

– ORAM is inherently randomized, security hold only when ORAM randomness is hidden

  • Idea: “Puncturing” ORAM

Garb(P, x) = (ST-Garb(Phide, xhide))

slide-20
SLIDE 20

Puncturing ORAM

  • Use tree-based ORAM [SLSC11], which is “puncturable”

– t-th step access pattern is determined by single randomness rt – if rt is punctured/erased from program, t-th step access pattern can be simulated by random

  • Puncturing rt

– rt may appear multiple times (encrypted) in history – Carefully erase rt backward in time step by step

  • Modify program: “erase rt after step s” for s = t, t-1,…,0

ct0 ct1 ct2 ctT-2 ctT-1 ctT

rT ctrT ctrT ctrT

slide-21
SLIDE 21

Puncturing ORAM

  • Use tree-based ORAM [SLSC11], which is “puncturable”

– t-th step access pattern is determined by single randomness rt – if rt is punctured/erased from program, t-th step access pattern can be simulated by random

  • Puncturing rt

– rt may appear multiple times (encrypted) in history – Carefully erase rt backward in time step by step

  • Modify program: “erase rt after step s”

[CH16]: “2 tracks trick” w/ modular & simpler proof

slide-22
SLIDE 22

Succinct Garbling for PRAM

slide-23
SLIDE 23

Challenge: Authenticate Memory

  • Memory authenticated by “Merkle tree”

– root stored in CPU state – Locally updatable by given augment path

  • Issue: Parallel CPU ⟹ Parallel Update

– Require CPU-to-CPU communication

CPU1 Memory CPU2 CPUm

ST-Garb(P, x) = (iO(Pauth), xauth)

slide-24
SLIDE 24

Challenge: Authenticate Memory

  • Memory authenticated by “Merkle tree”

– root stored in CPU state – Locally updatable by given augment path

  • Issue: Parallel CPU ⟹ Parallel Update

– Require CPU-to-CPU communication

  • Issue: Cannot afford Ω(m) overhead in parallel time

– Otherwise, void the gain of parallelism

ST-Garb(P, x) = (iO(Pauth), xauth)

slide-25
SLIDE 25

Parallel Update Problem

addr2 addr3 addr1addrm addr4 aug-path2 aug-path3 aug-path4

slide-26
SLIDE 26

Challenge: Authenticate Memory

  • Memory authenticated by “Merkle tree”

– root stored in CPU state – Locally updatable by given augment path

  • Issue: Parallel CPU ⟹ Parallel Update

– Require CPU-to-CPU communication

  • Issue: cannot afford Ω(m) overhead in parallel time

– Otherwise, void the gain of parallelism

  • O(log2m) -round parallel algorithm

– Parallel update level-by-level from leaves to root

ST-Garb(P, x) = (iO(Pauth), xauth)

slide-27
SLIDE 27

Security Issue: High Pebble Complexity

state0 state1 state2 stateT-2 stateT-1 stateT

P P P P P P P’ P’ P’ P’ P’ P’

Put pebble on node require to hardwire input/output Put “pebble” on node to switch program

slide-28
SLIDE 28

Security Issue: High Pebble Complexity

state1,0 state1,1 state1,2 state1,T-2 state1,T-1 state1,T

state2,0 state2,1 state2,2 state2,T-2 state2,T-1 state2,T

state3,0 state3,1 state3,2 state3,T-2 state3,T-1 state3,T

state4,0 state4,1 state4,2 state4,T-2 state4,T-1 state4,T

Can use 2m pebbles to traverse graph, but not better ⇒ Need to hardwire Ω(m) information in Pauth ⇒ poly(m) overhead

slide-29
SLIDE 29

Branch & Combine Emulation

combt-1 state1,t state2,t state3,t state4,t int2,t int1,t combt state1,t+1 state2,t+1 state3,t+1 state4,t+1 int2,t+1 int1,t+1 combt+1

Change topology to reduce pebble complexity

  • Combine m CPU states to 1 combined state
  • Branch one step computation from it

slide-30
SLIDE 30

Branch & Combine Emulation

combt-1 state1,t state2,t state3,t state4,t int2,t int1,t combt state1,t+1 state2,t+1 state3,t+1 state4,t+1 int2,t+1 int1,t+1 combt+1

Change topology to reduce pebble complexity

  • Combine m CPU states to 1 combined state
  • Branch one step computation from it

Claim: pebble complexity = O(log m)

slide-31
SLIDE 31

Branch & Combine Emulation

Change topology to reduce pebble complexity

  • Combine m CPU states to 1 combined state
  • Branch one step computation from it

Claim: pebble complexity = O(log m)

  • Combine step

– Build “Merkle tree” on CPU states – Combined state = root

  • Branch step

– Authentication & one step computation

slide-32
SLIDE 32

Hiding Step for PRAM

  • Replace ORAM by Oblivious PRAM [BCP16]

– also puncturable

Garb(P, x) = (ST-Garb(Phide, xhide))

slide-33
SLIDE 33

Summary and Open Problems

  • Feasibility of crypto for PRAM based on iO via

succinct garbled PRAM

  • Adaptive succinct garbled (Paralle) RAM with

persistent memory (next talk) [ACC+15,CCHR15]

  • Open: FHE for RAM/PRAM?
  • Open: Crypto for PRAM without iO

– ABE for RAM/PRAM based on LWE?

  • Other parallel model?
slide-34
SLIDE 34

Thank you! Questions?

34