Embed Size (px)
Citation preview
• Easy-to-use by non-crypto experts
• Extensible for experts• Highly Efficient secure
computation backend
OBLIVM: A PROGRAMMING FRAMEWORK FOR SECURE COMPUTATIONCHANG LIU, XIAO SHAUN WANG, KARTIK NAYAK, YAN HUANG, ELAINE SHI
SECURE COMPUTATION
CHALLENGES
OBLIVM ARCHITECTURE
RAM-MODEL SECURE COMPUTATION
• A naïve approach to convert a random memory access isto perform a linear scan, and thus incurs an overheadlinear to the memory capacity. Inefficient!
• Existing work (e.g. [3]) relies on Oblivious RAM (ORAM)to automate RAM-model secure computation, whichreducing the overhead to poly-logarithmic. It alsoidentifies opportunities to avoid ORAM, in a memorytrace oblivious program [4], to further reduce theoverhead to be constant.
• Two parties jointly perform computation over theirsensitive data
• No party learns anything about other’s sensitive dataother than output
• More than three decades old problem [1]
References:
[1] Yao, “Protocols for secure computations (extended abstract)”, FOCS 13; [2] Holzer, “Secure Two-party Computations in ANSI C”, CCS 12; [3]Liu, et al, “Automating Efficient RAM-model Secure Computation”, IEEE S&P 14; [4] Liu, et al, “Memory TraceOblivious Program Execution”, CSF 13; [5] Wang, et al. “Oblivious Data Structures”, CCS 14; [6] Nikolaenko, “Privacy-preserving matrix factorization”, CCS 13; [7] Nikolaenko, “Privacy-preserving ridge regression on hundreds of millions of records”, IEEE S&P13; [8] Wang, et al, “Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound”, CCS 15
Hard to program: secure computation protocols requires torepresent the program in circuits.
Low efficiency: automated compiler (e.g. [2]) to convert anormal C-like program into circuits will incur a big overhead forrandom memory accesses.
Not scalable: efficient secure computation protocols usuallyrequire experts cryptographers to spend a long time to develop.
ReadM[i]
[𝑀[𝑖]]
ORAM
Garbled Circuits
Secure Computation
ORAM requests turn into multiple DRAM accesses to obfuscate the real address
OBLIVM APPROACH
HAND-CRAFTING VS AUTOMATED COMPILATION
Random Access Memory
EVALUATION
Dijkstra MST K-Means Heap Map/Set BSearch AMS CountMinSketch Sketch
106
105
104
103
100
10
1
Spee
dup
9x105x
7x
2500x
51x
9x105x
7x
2500x
51x
5900x
7x
13x
65x
1.6x104x
7x
5.5x
407x
8200x
7x
5.5x
212x
2.6x104x
7x
10x
366x
1.7x106x
7x2x
1.2x105x
7400x
7x2x
530x
Data size: 768KB 768KB 2MB 8GB 8GB 1GB 10GB 0.31GB
Backend
PL
Circuit ORAM [8]
HKFV12 [2]
Achieve up to 𝟏𝟎𝟔 ×speedup with respect to the best automated approach
As low as 𝟑. 𝟓 × overhead on top of non secure baseline
ADOPTION
Privacy-preserving data mining and recommendation system
Computational biology, privacy-preserving microbiome analysis
Privacy-preserving Software-Defined Networking
Cryptographic MIPS processor
iDash secure genome analysis competitionWon an “HLI Award for Secure Multiparty Computing”
Matrix Factorization
2013 ObliVM Today
5 researchers 4 monthsNIWJTB-CCS’13 [6]
5 researchers 3 weeksNWIJBT-IEEE S&P ’13 [7]
1 graduate student-day
10x-20x better performanceRidge Regression
Same Tasks
ObliVM-langsource language
Non-crypto expert
applicationdeveloper
Compiler
Develop apps Impl. optimized libraries; Define new native funcs
Impl. optimized gadgets; Impl new SC protocols
1 2 3
1
Infrastructure/library developer
32
ObliVM-SCBackend
Programming Language Features
Programming AbstractionsEnable
Efficient Implementation
Boun
ded L
oop Improve the upper-
bound for oblivious Shortest distance and MST algorithms for sparse graphs
Functions:- Function Types- Phantom Functions
MapReduceMapReduce(inputData, mapper, reducer, initialVal, cmp)
Data Analytic Algorithms using MapReduce:- WordCount, PageRank,
Histogram, …
Loop Coalescing
Random Number- Affine Type System
Oblivious Data Structures- More efficient than generic ORAM simulation [5]- The type system guarantees the implementation
is secure by construction
Stack, Heap, AVL Tree, …
bwhile(n) (u<n) {total = total + 1;i=s[u];bfor (m) (;i<s[u+1];) {
// do somethingi=i+1;
}u=u+1; }
Compiler
Generate
state = (u<n) ? 1 : -1;for (__itr=0; __itr<n+m+n; __itr++) {
if (state==1) { total=total+1; i=s[u];state = (i<s[u+1]) ? 2 : 3
} else if (state==2) { // do somethingi=i+1; state = (i<s[u+1]) ? 2 : 3
} else if (state==3) {u=u+1; state = (u<n) ? 1 : -1
} // else execution is finished}
[𝑖]
HOW FAR FROM PRACTICAL?
Slowd
own w
.r.t.
Insec
ure Ba
selin
e Distributed GWAS 130 ×
Hamming Distance 1.7 × 104 ×
K-Means 9.3 × 106 ×
Binary Search on 1GB DatabaseToday 7.3 secs/queryFuture 0.3 secs/query
New Theoretical Results
