Embed Size (px)
Citation preview
1
ORAM – Used for Secure Computation
byVenkatasatheesh Piduri
2
Basics
• What is secure Computation• Why it is important• Different Methods
3
Secure ComputationMy age is
16I do not
wantBob to know
My age is 12
I do not want
Alice to know
Who is the oldest?
4
Secure Computation
Traditional solutions use circuit abstraction
>=16? 12
No, I am older than Bob
OT
[Yao, 1982] Garbled Circuit
5
Papers for discussion
1. * Automating Efficient RAM-Model Secure Computation, SP14
2. Burst ORAM: Minimizing ORAM Response Times for Bursty Access Patterns, SEC14
6
Terms
• Third party computation• Semi honest model• Adversarial behavior• Oblivious transfer• Memory access pattern• Garbled circuit
7
Introduction
• Traditional circuit approach• RAM- SC model• Automating efficient RAM- Model
8
Key building blocks of RAM model SC
• Oblivious RAM – a cryptographic primitive that hides memory access patterns by randomly shuffling data in memory.
• Each memory read/ write incurs poly log n actual memory accesses
9
Automating Efficient RAM – About
• Define Intermediate representation • Type system• Automated compiler – transfers high level
program into secure computation protocol.
10
Continue
• Intermediate representation and Type system – Helps in avoiding expensive circuit
11
Automating RAM-model Secure Computation
SCVM Intermediat
e Representat
ion
Program in
source langua
ge
Securecomputationprotocol
ProgrammerCrypto Non-Expert
Front-endcompiler
Back-endcompiler
Type Checker
Usability
Formal Security
Efficiency
12
Automating RAM-model Secure Computation
SCVM Intermediat
e Representat
ion
Program in
source langua
ge
Securecomputationprotocol
Programmer
Front-endcompiler
Back-endcompiler
Type Checker
Usability
Formal Security
Efficiency
13
Automating RAM-model Secure Computation
SCVM Intermediat
e Representat
ion
Program in
source langua
ge
Securecomputationprotocol
Programmer
Front-endcompiler
Back-endcompiler
Type Checker
Usability
Formal Security
Efficiency
14
Toward generating efficient protocol
Instruction-trace
obliviousness
Memory-trace obliviousness
Mixed-mode execution
15
Toward generating efficient protocol
Instruction-trace
obliviousness
16
Program counter leaks information
• The instructions being executed leak information
if(a[mid] <key) l = mid + 1;else r = mid;
17
Program counter leaks information
• The instructions being executed leak information
if(a[mid] <key) l = mid + 1;else r = mid;
18
Program counter leaks information
• The instructions being executed leak information
if(a[mid] <key) l = mid + 1;else r = mid;
19
Program counter leaks information
• The instructions being executed leak information
if(a[mid] <key) l = mid + 1;else r = mid;
Universal Circuit
Instruction
Execute ALL instructions!
INEFFICIENT!
new pc value
20
Instruction-trace obliviousness
if(a[mid] <key) l = mid + 1;else r = mid;
t1=a[mid];cmp = t1<key;t2=mid+1;l=mux(cmp, t2, l);r=mux(cmp, r, mid);
Instruction-trace oblivious
programs, e.g. straight-line
programs, can avoid the
universal circuit
21
Toward generating efficient protocol
Instruction-trace
obliviousness
Memory-trace obliviousness
22
Memory Trace Obliviousness
int count(public int n, alice int* data, bob int T) {
int count = 0;
for(int i=0; i<n; ++i) {
if(data[i]==T)
count = count+1;
}
}
data need not be stored in an
ORAM
RAM
Linear scan
23
Toward generating efficient protocol
Instruction-trace
obliviousness
Memory-trace obliviousness
Mixed-mode execution
24
Mix-mode Execution
When code can be computed locally or publicly, a secure computation protocol is not necessary
E.g. sorting the array before performing binary search.
{ P , A , B , O}
25
Compilation
• Typing the source language• Labeling statements• On secret branching• On secret while looping – can impose
constraint• Declassification – info can flow from only low
secure to high• Correctness - type checker
26
Evaluation
• KMP string matching algorithm• Dijkstra’s shortest distance algorithm• Inverse Permutation• Aggregation over sliding windows• Binary Search• Heap Data Structure
27
Evaluation
• Little compile time compared to earlier circuit model compilers
• Metric – block cipher evaluations as performance metric
28
Thank you
![SCORAM: Oblivious RAM for Secure Computationhubert/ccs14a.pdf · ORAM by Shi et al. [30] performs the same as a naively implemented Path ORAM [34], although Path ORAM is asymptotically](https://img.pdfslide.us/doc/110x75/5f0ac9767e708231d42d56e3/scoram-oblivious-ram-for-secure-computation-hubert-oram-by-shi-et-al-30.jpg)
![Three-Party ORAM for Secure Computation · ORAM for Secure Computation (SC-ORAM) [17], which is a protocol that securely implements a RAM functionality, i.e. given a secret-sharing](https://img.pdfslide.us/doc/110x75/5f0ac6817e708231d42d4814/three-party-oram-for-secure-computation-oram-for-secure-computation-sc-oram-17.jpg)
![Three-Party ORAM for Secure Computationsprout.ics.uci.edu/pubs/3PORAM-AC15.pdf · most recent proposal of Path ORAM by Stefanov et al. [21] practical enough to be implemented on secure](https://img.pdfslide.us/doc/110x75/5f0ac9777e708231d42d56e8/three-party-oram-for-secure-most-recent-proposal-of-path-oram-by-stefanov-et-al.jpg)