New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on joint works with Steve Lu, Payman Mohassel, Charalampos Papamanthou, Rafail Ostrovsky and Alessandra Scafuro
Yaoβs garbled circuits Server User π· π· π·(π¦) π¦ π¦
RAM analogue of Garbled circuits Server User π, π¦ π, π¦ π(π¦) If the running time of the program π is π then the corresponding circuit is of size π 3 . Communication complexity and computational complexity of both parties grows with π 3 .
More Ambitious: Garbled RAM [LO13,GHLORW14] Server User π π , π¦ π π π (π¦ π ) π π , π¦ π Garbled circuits lead to a solution where the β’ Size of garbled database is π πΈ communication and computational cost per π β’ Communication and computation cost grows in π π program grows with database size.
More Ambitious: Garbled RAM [LO13,GHLORW14] Server User π π , π¦ π π π (π¦ π ) π π , π¦ π ORAM [Goldreich-Ostrovsky] β’ Full-security: Server learns nothing but the output Garbled circuits lead to a solution where the β’ Unprotected Memory Access (UMA): Server learns communication and computational cost per access pattern. program grows with database size.
Putting in context β Secure Computation β’ Traditional protocols β have large round complexity β’ Linear in running time [OS97, GKKKMR12 β¦] β’ Seeking an analogue of Yaoβs garbled circuits β’ Non-interactive
Landscape: Garbled RAM β’ Heuristic construction from OWFs [LO13] β’ Circularity Issue β’ Fixed using IBE [GHLORS14] β’ Construction from OWFs [GLOS15] β’ Using only black-box use of OWFs[GLO15] β’ OWF canβt be modeled as a random oracle β’ Not talk about succinct constructions based on iO [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]
Outline of the rest of the talk β’ RAM model β’ LO13 approach β’ Technical bottleneck in realizing black-box construction β’ High level idea of black-box construction [GLO15] β’ Extensions [GMP15,GM15,GGMP15,GP15]
RAM Model next next next read 2 read 1 index read 3 index index CPU CPU CPU step 2 step 1 step 3 Writes require additional work but letβs ignore that!
LO13 approach next next next read 2 read 1 index read 3 index index CPU CPU CPU step 2 step 1 step 3 Use garbled circuits!
LO13 approach next next next read 2 read 1 index read 3 index index CPU CPU CPU step 2 step 1 step 3 1) Somehow encrypt memory How do reads work? 2) translate table Access pattern is revealed!
LO13 approach STEP 1: garbling/encrypting of the memory π π π πππΊ πΏ (π, π π ) next next next read 2 read 1 index read 3 index index CPU CPU CPU step 2 step 1 step 3 ο PRF key K to garble
LO13 approach STEP 2: translate table π π π πππΊ πΏ (π, π π ) π next next next read 2 read 1 index read 3 index index π‘ 0 , π‘ 1 CPU CPU CPU step 2 step 1 step 3 K K K πΉππ(πππΊ πΏ π, 0 , π‘ 0 ) ο PRF key K to garble πΉππ(πππΊ πΏ π, 1 , π‘ 1 )
Technical Bottleneck in Black-Box β’ The data needs to be encrypted so that the server doesnβt learn it! β’ CPU step garbled circuits need to decrypt the read values internally β’ Need of black-box use of cryptography seems inherent
GLO15 high level idea β’ Garbled memory comprises of a collection of garbled circuits with data values hardwired in them β’ Read implemented by a sub-routine call β’ Control flow is passed to memory circuits
GLO15 β for one read only π, π‘ 0 , π‘ 1 π 1 π 2 β¦β¦β¦
GLO15 β for one read only Say π = 2 π, π‘ 0 , π‘ 1 Memory no longer useful! π 1 π 2 β¦β¦β¦ Outputs π‘ π 2
GLO15 β for π reads only Say π = 2 π, π‘ 0 , π‘ 1 β¦β¦β¦ β¦β¦β¦ β¦β¦β¦ How many Assume uniform backups? How memory accesses. do we connect them? π 1 π 2 β¦β¦β¦ β¦β¦β¦ β¦β¦β¦ Outputs π‘ π 2
Conclusion and Open Problems β’ Secure Computation for RAM programs Round Efficient And Black Box β’ Important for crypto for big data β’ Theoretically practical secure computation.
Thanks!
Recommend
More recommend
