Understanding Garbled RAM: A Deep Dive into Secure Computation

Slide Note
Embed
Share

Delve into the world of Garbled RAM, a groundbreaking concept that enables secure computation without efficiency loss. Explore the goals, definitions, security aspects, and the distinction between weak and full security. Discover how Garbled RAM ensures data privacy and hides access patterns, providing novel constructions with provable security.

ben_mar
ben_mar Follow

Uploaded on Oct 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova

  2. Goals of Garbled RAM An analogue of Yao garbled circuits [Yao82] that directly garbles Random Access Machines (RAM). Avoid efficiency loss of converting a RAM to a circuit. Google search vs. reading the Internet. First proposed/constructed by [Lu-Ostrovsky 13]. Proof of security contains subtle flaw (circularity problem). This works: new constructions with provable security.

  3. Garbled RAM Definition GData ?,? ? GProg ?,? ? GInput(?, ?) ? Client secret: k Server Eval l ?( ?, ?) ?

  4. Garbled RAM Definition GData ?,? ? GProg ??,?,? ?? GInput(??, ?,?) ?? O(run-time) Client secret: k Server Eval l ?( ??, ??) ?? O(run-time) (even data access pattern is hidden!) Security: server only learns ?1,?2,

  5. Weak vs. Full Security Weak security:May reveal data ?, and data-access pattern of computations. Locations of memory accessed in each step. Values read and written to memory. Compiler: weak full security: Use oblivious RAM [GO96, ] to encode/access memory.

  6. Overview of [Lu-Ostrovsky 13] For now, read-only computation.

  7. Memory Data D= ?[2] ?[1] ?[3] Read location: i read bit CPU Step 1 CPU Step 2 state state

  8. Memory Data D= ?[2] ?[1] ?[3] GProg: Read location: i read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit garbled garbled

  9. GData: ??2,?[2] ??1,?[1] ??3,?[3] ??( ) is a PRF GProg: Read location: i read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit garbled garbled

  10. GData: ??2,?[2] ??1,?[1] ??3,?[3] ??( ) is a PRF Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) GProg: read bit GInp CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit PRF Key: k PRF Key: k garbled garbled

  11. Lets try to prove security Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) read bit CPU Step 1 CPU Step 2 garbled circuit state state garbled circuit PRF Key: k PRF Key: k garbled garbled

  12. Use security of 1st garbled circuit only learn output ?0= ??? (???,0 , ?????0) ?1= ??? (???,1 , ?????1) read bit CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  13. Use security of 1st garbled circuit only learn output (assume D[i]=1) ?0= ??? (???,0 , ?????0) read bit ?????1 CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  14. Use security of 2nd garbled circuit don t learn PRF key k don t learn ?????0 for read bit Use security of Encryption/PRF ?0= ??? (???,0 , ?????0) read bit ?????1 CPU Step 2 garbled circuit state labels garbled state PRF Key: k

  15. Circularity* Problem! * May appear rectangular

  16. So is it secure? Perhaps, but No proof. No simple circularity assumption on one primitive.

  17. Can we fix it? Yes! Fix 1 : Using identity-based encryption (IBE). Fix 2 : Only use one-way functions. Bigger overhead.

  18. The Fix Public-key instead of symmetric-key encryption. Garbled circuits have hard-coded public key. Break circularity: security of ciphertexts holds even given public-key hard-coded in all garbled circuits. Caveat: need identity-based encryption (IBE) Original solution used Sym-key IBE .

  19. Secret keys for identities (?,? ? ) Garbled Memory ??2,?[2] ??1,?[1] ??3,?[3] Encrypt to identities (i,0) and (i,1) Read location: i ?0= ??? (???,0 , ?????0), ?1= ??? (???,1 , ?????1) read bit CPU Step 1 CPU Step 2 state state Master SK PRF Key: k PRF Key: k

  20. Secret keys for identities (?,? ? ) Garbled Memory ??(1,? 1 ) ??(2,? 2 ) ??(3,? 3 ) Encrypt to identities (i,0) and (i,1) Read location: i ?0= ??????( ?,0 , ?????0) ?1= ??????( ?,1 , ?????1) read bit CPU Step 1 CPU Step 2 state state MPK MPK Master PK

  21. How to allow writes? Compiler Predictably-Timed Writes: Whenever read location i, know its last-write-time u. Any Program Write location j, bit b Read location i read bit CPU Step 1 CPU Step 2 state state

  22. How to allow writes? Garbled memory = { ???? : ?? = (?,?,?)} i = location. j = last-write time of location i. b = bit in location i written in step j. To read location i, need to know last-write time j. Encrypt labels to identities (?,?,0) and (?,?,1) To write location i, at time j Create secret key for ?? = (?,?,?). Need master secret key. Reintroduces circulairty!

  23. How to allow writes? Idea: CPU step j can create secret key for any ID = (j, *,*) but cannot decrypt for identities j < j. Prevents circularity: Ciphertext created by CPU step j maintain semantic security even given secrets contained in all future CPU steps. Need restricted MSK for time-period j. Use hierarchical IBE. By being more careful, can use any IBE.

  24. Timed IBE (TIBE): restricted notion of HIBE.

  25. Timed IBE (TIBE): restricted notion of HIBE. Time-period key ???? can be used to create a single identity secret key for any identity ID = (j, *). Semantic security holds for all other j. Can construct TIBE from any IBE. (see paper) ??? ????=1 ????=3 ????=2 ??(1,????) ??(2,????) ??(3,????)

  26. Garbled Memory initially all keys have time j=0 Invariant: always have ??(?,?,?) where j=last-write-time(i), and b is latest bit. ??(0,1,? 1 ) ??(0,2,? 2 ) ??(0,3,? 3 ) read bit CPU Step 1 CPU Step 2 state state Step j has ???? ???,???2 ???,???1

  27. Garbled Memory ??(0,1,? 1 ) ??(0,2,? 2 ) ??(0,3,? 3 ) u < cur step: semantic security for ?? holds given future ???? Write: i , bit b Read: i, (last-write time: u) ?0= ??????( ?,?,0 , ?????0) ?1= ??????( ?,?,1 , ?????1) ??(?=1,? ,?) read bit CPU Step 1 CPU Step 2 state state ???,???2 ???,???1

  28. Theorem: Assuming Identity Based Encryption (IBE), For any RAM program w. run-time T , data of size N Garbled memory-data is of size: ?(?). Garbled program size, creation/evaluation-time: ? ? ??????? ? . Theorem: Assuming one-way functions, For any constant ? > 0: Garbled memory-data is of size: ?(?). Garbled program size, creation/evaluation-time: ? ? ??.

  29. Thank You!

Related


Exploring Garbled RAM and Secure Computation

Exploring Garbled RAM and Secure Computation

ans_ja
Secure Computation Techniques in RAM Models with Efficient Automation

Secure Computation Techniques in RAM Models with Efficient Automation

terence
Advances in Authenticated Garbling for Secure 2PC

Advances in Authenticated Garbling for Secure 2PC

cmelo
Secure Computation Lecture Recap and Solutions

Secure Computation Lecture Recap and Solutions

she_cha
ACE RAM Workshop - Barcelona 2019: Reliability and Maintenance Concepts

ACE RAM Workshop - Barcelona 2019: Reliability and Maintenance Concepts

mal_lac
Ram Temple In Ayodhya: Interesting Facts

Ram Temple In Ayodhya: Interesting Facts

kaylani
Actively Secure Arithmetic Computation and VOLE Study

Actively Secure Arithmetic Computation and VOLE Study

cayal
Towards Practical Generic Zero-Knowledge Protocols

Towards Practical Generic Zero-Knowledge Protocols

bonn_ne
Covert Computation: Ensuring Undetectable Engagement

Covert Computation: Ensuring Undetectable Engagement

zazueta_n
Fides: A System for Verifiable Computation Using Smart Contracts

Fides: A System for Verifiable Computation Using Smart Contracts

isen_17
Insights into Secure Computation with Minimal Interaction

Insights into Secure Computation with Minimal Interaction

smars
Advancements in Active Secure Multiparty Computation (MPC)

Advancements in Active Secure Multiparty Computation (MPC)

dulcie
Exploring Secure Computation in the Age of Information

Exploring Secure Computation in the Age of Information

kha_va
Secure Two-Party Computation and Basic Secret-Sharing Concepts

Secure Two-Party Computation and Basic Secret-Sharing Concepts

pjiv
Linear Communication in Secure Multiparty Computation for Efficient and Fast Processing

Linear Communication in Secure Multiparty Computation for Efficient and Fast Processing

emer_2
Secure Computation Challenges and Solutions in Data Mining

Secure Computation Challenges and Solutions in Data Mining

jalaiahr
Insights into Hanuman Jayanti: Celebrations, Virtues, and More

Insights into Hanuman Jayanti: Celebrations, Virtues, and More

rosalee
Enhanced Security in Multiparty Computation

Enhanced Security in Multiparty Computation

rocky
Foundations of Cryptography: Secure Multiparty Computation

Foundations of Cryptography: Secure Multiparty Computation

kinnison_c
Secure Multiparty Computation for Department of Education Data Sharing

Secure Multiparty Computation for Department of Education Data Sharing

inayah
Role of ROTARIANS AGAINST MALARIA (RAM) in Malaria Control in Papua New Guinea

Role of ROTARIANS AGAINST MALARIA (RAM) in Malaria Control in Papua New Guinea

enrique
Insights on Ram Navami: Teachings from Lord Rama's Life and Symbolism of Ayodhya

Insights on Ram Navami: Teachings from Lord Rama's Life and Symbolism of Ayodhya

esh_pji
Secure Multiparty Computation: Enhancing Privacy in Data Sharing

Secure Multiparty Computation: Enhancing Privacy in Data Sharing

mino_ll
Enhancing Multi-Party Computation Efficiency Through ORAM Techniques

Enhancing Multi-Party Computation Efficiency Through ORAM Techniques

jeronimo_a

More Related Content