Exploring Garbled RAM Techniques for Secure Computation

garbled ram revisited n.w
1 / 29
Embed
Share

Dive into the world of Garbled RAM, a secure computation technique pioneered by Daniel Wichs and his team at Northeastern University. Discover how Garbled RAM offers efficient and secure ways to process data while protecting sensitive information from unauthorized access. Learn about the goals, definitions, and security aspects of Garbled RAM, as well as the nuances between weak and full security models.

  • Secure Computation
  • Garbled RAM
  • Data Security
  • Cryptography
  • Computer Science
rayaanacharya
peri_ob Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova

  2. Goals of Garbled RAM An analogue of Yao garbled circuits [Yao82] that directly garbles Random Access Machines (RAM). Avoid efficiency loss of converting a RAM to a circuit. Google search vs. reading the Internet. First proposed/constructed by [Lu-Ostrovsky 13]. Proof of security contains subtle flaw (circularity problem). This works: new constructions with provable security.

  3. Garbled RAM Definition GData ?,? ? GProg ?,? ? GInput(?, ?) ? Client secret: k Server Eval l ?( ?, ?) ?

  4. Garbled RAM Definition GData ?,? ? GProg ??,?,? ?? GInput(??, ?,?) ?? O(run-time) Client secret: k Server Eval l ?( ??, ??) ?? O(run-time) (even data access pattern is hidden!) Security: server only learns ?1,?2,

  5. Weak vs. Full Security Weak security:May reveal data ?, and data-access pattern of computations. Locations of memory accessed in each step. Values read and written to memory. Compiler: weak full security: Use oblivious RAM [GO96, ] to encode/access memory.

  6. Overview of [Lu-Ostrovsky 13] For now, read-only computation.

  7. Memory Data D= ?[2] ?[1] ?[3] Read location: i read bit CPU Step 1 CPU Step 2 state state

  8. Memory Data D= ?[2] ?[1] ?[3] GProg: Read location: i read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit garbled garbled

  9. GData: ??2,?[2] ??1,?[1] ??3,?[3] ??( ) is a PRF GProg: Read location: i read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit garbled garbled

  10. GData: ??2,?[2] ??1,?[1] ??3,?[3] ??( ) is a PRF Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) GProg: read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit PRF Key: k PRF Key: k garbled garbled

  11. Lets try to prove security Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) read bit CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit PRF Key: k PRF Key: k garbled garbled

  12. Use security of 1st garbled circuit only learn output ?0= ??? (???,0 , ?????0) ?1= ??? (???,1 , ?????1) read bit CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  13. Use security of 1st garbled circuit only learn output (assume D[i]=1) ?0= ??? (???,0 , ?????0) read bit ?????1 CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  14. Use security of 2nd garbled circuit don t learn PRF key k don t learn ?????0 for read bit Use security of Encryption/PRF ?0= ??? (???,0 , ?????0) read bit ?????1 CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  15. Circularity* Problem! * May appear rectangular

  16. So is it secure? Perhaps, but No proof. No simple circularity assumption on one primitive.

  17. Can we fix it? Yes! Fix 1 : Using identity-based encryption (IBE). Fix 2 : Only use one-way functions. Bigger overhead.

  18. The Fix Public-key instead of symmetric-key encryption. Garbled circuits have hard-coded public key. Break circularity: security of ciphertexts holds even given public-key hard-coded in all garbled circuits. Caveat: need identity-based encryption (IBE) Original solution used Sym-key IBE .

  19. Secret keys for identities (?,? ? ) Garbled Memory ??2,?[2] ??1,?[1] ??3,?[3] Encrypt to identities (i,0) and (i,1) Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) read bit CPU Step 1 CPU Step 2 state state Master SK PRF Key: k PRF Key: k

  20. Secret keys for identities (?,? ? ) Garbled Memory ??(1,? 1 ) ??(2,? 2 ) ??(3,? 3 ) Encrypt to identities (i,0) and (i,1) Read location: i ?0= ??????( ?,0 , ?????0) ?1= ??????( ?,1 , ?????1) read bit CPU Step 1 CPU Step 2 state state MPK MPK Master PK

  21. How to allow writes? Compiler Predictably-Timed Writes: Whenever read location i, know its last-write-time u. Any Program Write location j, bit b Read location i read bit CPU Step 1 CPU Step 2 state state

  22. How to allow writes? Garbled memory = { ???? : ?? = (?,?,?)} i = location. j = last-write time of location i. b = bit in location i written in step j. To read location i, need to know last-write time j. Encrypt labels to identities (?,?,0) and (?,?,1) To write location i, at time j Create secret key for ?? = (?,?,?). Need master secret key. Reintroduces circulairty!

  23. How to allow writes? Idea: CPU step j can create secret key for any ID = (j, *,*) but cannot decrypt for identities j < j. Prevents circularity: Ciphertext created by CPU step j maintain semantic security even given secrets contained in all future CPU steps. Need restricted MSK for time-period j. Use hierarchical IBE. By being more careful, can use any IBE.

  24. Timed IBE (TIBE): restricted notion of HIBE.

  25. Timed IBE (TIBE): restricted notion of HIBE. Time-period key ???? can be used to create a single identity secret key for any identity ID = (j, *). Semantic security holds for all other j. Can construct TIBE from any IBE. (see paper) ??? ????=1 ????=3 ????=2 ??(1,????) ??(2,????) ??(3,????)

  26. Garbled Memory initially all keys have time j=0 Invariant: always have ??(?,?,?) where j=last-write-time(i), and b is latest bit. ??(0,1,? 1 ) ??(0,2,? 2 ) ??(0,3,? 3 ) read bit CPU Step 1 CPU Step 2 state state Step j has ???? ???,???2 ???,???1

  27. Garbled Memory ??(0,1,? 1 ) ??(0,2,? 2 ) ??(0,3,? 3 ) u < cur step: semantic security for ?? holds given future ???? Write: i , bit b Read: i, (last-write time: u) ?0= ??????( ?,?,0 , ?????0) ?1= ??????( ?,?,1 , ?????1) ??(?=1,? ,?) read bit CPU Step 1 CPU Step 2 state state ???,???2 ???,???1

  28. Theorem: Assuming Identity Based Encryption (IBE), For any RAM program w. run-time T , data of size N Garbled memory-data is of size: ?(?). Garbled program size, creation/evaluation-time: ? ? ??????? ? . Theorem: Assuming one-way functions, For any constant ? > 0: Garbled memory-data is of size: ?(?). Garbled program size, creation/evaluation-time: ? ? ??.

  29. Thank You!

Related


No related presentations.

More Related Content