Oram And Secure Computation
-
Upload
chong-kuan-chen -
Category
Engineering
-
view
375 -
download
0
Transcript of Oram And Secure Computation
Secure Compu-ng
• Nowadays, concept of computa2on out-‐sourcing is wide spread • Especially for mobile • How can we ensure the confiden2al
• Compu2ng Outsourced
Server Client
• Trusted Compu2ng Base
CPU Memory
Thread Model
• Securely Outsourcing Data -‐ Store, access, and update data on an untrusted server.
• What’s untrusted mean? • Honest – server never modify the data, integrity OK • Curious – server try to monitor the data access, not Confiden2al
Untrusted
Trusted Zone
Secure Func-on Evalua-on
• How to hide the data content • Simple Encryp2on ?
• No, the other party need to do some computa2on on the data
• Secure func2on evalua2on (SFE) • how two par2es can collaborate to correctly compute func2on without reveal their inputs to the func2on
• E.g. Yao’s Garbled Circuit, homomorphic encryp2on
Server Client
Yao’s Garbled Circuit
• A method that enables two par2es with private inputs x and y to jointly compute a func2on f(x,y)
• Privacy -‐ Nothing is learned from the protocol other than the output
• Base on the Boolean Circuit • A garbled boolean circuit is a collec2on of garbled boolean gates. • Construct en2re garbled circuit from boolean circuit
Encrypted AND Gate
• For each wire x,y,z, specify two random values, corresponding to 0 and 1
Value 0 Value 1
x k0x k1x
y k0y
k1y
z k0z
k1z
Construct GCT
• Garbled Computa2on Table (GCT) • “associate” kz0, kz1 with kx0, kx1, ky0, ky1 • Given two input keys kxa and kyb, only one row of the GCT can be decrypted correctly, namely: E a(E b(kg(a,b))).
•
Construc-on of a Garbled Gate
1. Alice picks two random keys for each wire thus she has 6 keys in total
2. She encrypts each row of the table, crea2ng the GCT
Transfer Data to Untrusted User
• She permutes it (rearranges it), so that the key’s posi2on reveals nothing about the value that it is associated with.
• She sends it over to Bob, along with her input key kbʹ′, with bʹ′ her input value.
Evalua-on The Secret Func-on
• Bob now has kbʹ′ , kb and the GCT and he can compute the gate by decryp2ng GCT.
• He can decrypt only one line of the GCT, exactly because of its construc2on.
• Sends output kg(bʹ′,b) to Alice and the computa2on of the z garbled gate is over.
Yao’s Garbled Circuit
• Yao’s Garbled Circuit can do simple computa2on • We can construct more complicated circuit by simplest one
• Without the limita2on of space and 2me, Yao’s Garbled Circuit can help us to do any computa2on
• Without revealing the input data
Shortcomings of Exis-ng Approaches
• Poor scalability • Preven2ng large circuit genera2on
• Manual circuit op2miza2on • Not prac2cal
• High-‐level abstrac2on • Inefficient op2miza2on
Approach
• Genera2ng op2mized and compact circuits • Adap2ng classic hardware synthesis techniques • Sequen2al logic descrip2on for func2ons
Sequen-al Circuit
• Combina2onal circuit • Output are only func2ons of inputs
• Sequen2al circuit • Output are func2ons of both input and circuit state
Summary
• Adap2on of established HDL synthesis techniques to compile and op2mize a func2on into a netlist of gates for use in secure computa2on protocols
• Ship tradi2onal circuit op2miza2on to construct garbled circuit
Secure Enough?
• Now, the data can be stored in the untrusted storage with some simple computa2on
• But the access trace may leave some clue • E.g. only few client will access to certain field
• Therefore, we want to hide the access trace next.
Core Concept
• Dummy Read • Read mul2ple data once, so acacker cannot guess the real data
• Dummy Write • To make read/write dis2nguish, every opera2on contain both read/write opera2on
• Afer a read, a block must relocate • If we leave data in the fixed loca2on, it can be frequency analysis • Against frequency analysis
Path ORAM
• Data in memory is organized in the Binary Tree format • Each node is called bucket, which can save several data
• CPU maintain the private informa2on, posi2on map • Posi2on map save the path the corresponding data locate
Basic Format
d1
d5
d0 d1 d2 d3 d4 d5 d6 d7 d8
1 2 PosiDon Map
D1 is saved in some node in path 1
0 1 2 3 memory
CPU
Read A Data Record D1
d1
d5
d0 d1 d2 d3 d4 d5 d6 d7 d8
1 2 PosiDon Map
0 1 2 3 memory
CPU
We can find D1 along the Path 1
Reinjec-on the Data
d1
d5
d0 d1 d2 d3 d4 d5 d6 d7 d8
2 2 PosiDon Map
0 1 2 3 memory
CPU Choose other path
Reinjec-on the Data
• We will move the data D1 to some node of path 2
• However if we write some value in path 2, acacker can observe some data move from path 1 to path 2
• The rela2onship may be reveal
• The only node can put D1 is the root node
Reinjec-on the Data
d1
d5
d0 d1 d2 d3 d4 d5 d6 d7 d8
2 2 PosiDon Map
0 1 2 3 memory
CPU Choose other path
Problem
• Acack can guess the most recent access node is put in root
• The root have limited size bucket to save data
• To solve both problem, evic2on is used • In briefly, evic2on is to move the overflow data into child bucket
Reinjec-on the Data
….
d1
d5
d0 d1 d2 d3 d4 d5 d6 d7 d8
2 2 PosiDon Map
0 1 2 3 memory
CPU Choose other path
If root node overflow, 1. Make a real write 2. Make the dummy write
Dummy Write
Summary Path-‐based ORAM
1. Save data in the node among the path • Path depend on the secret posi2on map in CPU
2. Afer each access, re-‐inject it to the new path • Also update posi2on map
3. Evic2on • Check the bucket size, move the overflow data to the leaf
Summary Path-‐based ORAM
• Save data among the path • Acacker cannot iden2fy which one is real data
• Re-‐inject the data • Data reloca2on, access history give no informa2on to acacker – oblivious
• Evic2ons • Move data move down to the tree leaf, leave no rela2on for acacker
Problem
• There is the gap between programmer and cryptographer • Impera2ve languages • Circuit Model
• ObliVM • A tool to convert C-‐like program to garbled circuit
Oblivious Data Structure
• Security labels • secure int10[ public 1000] keys
• This array will be secret shared but not placed in ORAMs. • secure int10[ secure 1000] keys
• This array will be placed in a secret-‐shared ORAM, and we allow secret indices into the array.
Phantom Mode Func-on
• The program itself must be memory and instruc2on-‐trace obliviousness
• The execu2on trace should be iden2cal every execu2ons
• Phantom Mode Func2on • execu2ng both branches, with one branched really executed, and the other executed phantomly
Loop Coalescing
• Transfer nested loop into single layer, using concept of state machine • Translate each code into the new state • Simulates a state machine that each state contains a code block • Branching statement at the end of each code block will be translated into an assignment statement that moves the state machine into a next state
Programmer’s Abstract
• Cryptography expert programmer provides library support for implemen2ng a class of pointer-‐based data structures
• non-‐specialist programmer can implement data structures which will be compiled to efficient oblivious algorithms that outperform generic ORAM