Verifiable Oblivious Storage

Slides:

Advertisements

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Advertisements

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Perfect Non-interactive Zero-Knowledge for NP

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Secure Evaluation of Multivariate Polynomials

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Oblivious Branching Program Evaluation

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.

Private Keyword Search on Streaming Data Rafail Ostrovsky William Skeith UCLA (patent pending)

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland

Onion ORAM: A Constant Bandwidth Blowup ORAM

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette, Kevin Lewi, Stephen A. Weis, and David J. Wu Fast Software Encryption March,

Bounded key-dependent message security

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

The Exact Round Complexity of Secure Computation

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

Oblivious Parallel RAM: Improved Efficiency and Generic Constructions

Fast Actively Secure OT Extension For Short Secrets

On the Size of Pairing-based Non-interactive Arguments

OblivP2P: An Oblivious Peer-to-Peer Content Sharing System

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

OblivP2P: An Oblivious Peer-to-Peer Content Sharing System

Privacy Preserving Similarity Evaluation of Time Series Data

HOP: Hardware makes Obfuscation Practical Kartik Nayak

Laconic Oblivious Transfer and its Applications

Fast Searchable Encryption with Tunable Locality

based on slides by Debra Cook

Digital Signature Schemes and the Random Oracle Model

Digital Signature Schemes and the Random Oracle Model

Four-Round Secure Computation without Setup

CMSC 414 Computer and Network Security Lecture 3

CS7380: Privacy Aware Computing

cryptographic protocols 2014, lecture 12 Getting full zero knowledge

Rishab Goyal Venkata Koppula Brent Waters

University of Maryland

Cryptography Lecture 12.

Helen: Maliciously Secure Coopetitive Learning for Linear Models

Oblivious Transfer.

Path Oram An Extremely Simple Oblivious RAM Protocol

OblivP2P: An Oblivious Peer-to-Peer Content Sharing System

CRYP-F02 Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection Peter Scholl (University of Bristol) Michele Orrù (ENS Paris)

Presentation transcript:

Verifiable Oblivious Storage Daniel Apon Jonathan Katz Elaine Shi Aishwarya Thiruvengadam University of Maryland

Motivating Scenario D database D state st st st’ ... D’ read i D[i] Client Server Motivating Scenario D database D (n blocks of B bits) D read i D state st D[i] write (w, i) st D set D[i] := w st’ ... D’

The server is malicious. The client is honest. Our goal is complete oblivious access. This means hiding the data from the server, and hiding the data-access pattern from the server. Efficiency-wise, we aim to minimize: 1) client storage, (prefer small and independent of n) 2) bandwidth, (prefer o(log(n)) overhead, per query) 3) server computation. (prefer o(n), per query)

Previous Solutions

Private Information Retrieval (PIR) Client Server Private Information Retrieval (PIR) D := Enc(D) read query st D response Typically, focuses on reads (but achieves O(1) bandwidth overhead) requires server comp linear in n = |D| semi-honest server; possibly, D stored in plaintext

Oblivious RAM (ORAM) st st’ D’ D := Enc(D) read/write query Client Server Oblivious RAM (ORAM) D := Enc(D) read/write query st D st’ D’ Server is an inert storage medium (recent exceptions: [WS08], [MBC14]) Lower Bound: Requires log(n) bandwidth overhead [GO93]

Interactively compute f(st, query,D) Client Server Secure Computation D := Enc(D) D st, query Interactively compute f(st, query,D) st’, response D’ Requires server comp and bandwidth linear in n = |D|

Our Contributions Formally define Verifiable Oblivious Storage (VOS) Simulation-based security against malicious server Efficient VOS constructions (beat all ORAMs in bandwidth) Generic compiler: ORAM-to-VOS Optimizations from Path-ORAM [SDSFRYD13] and Hierarchical-ORAM [KLO12] Applications of VOS Dynamic proofs of retrievability [CKW13]

Efficiency of our VOS constructions Path-VOS: O(log(n)) server computation O(1) bandwidth overhead (beats [GO93] lower bound) Hierarchical-VOS: Server Computation Bandwidth (for B suff. large) sublinear in n O(B) -- ie, O(1) bandwidth overhead polylog in n O(B log(n) / loglog(n)) Additionally, has Next-Read-Pattern-Hiding property

Rest of the talk VOS security definition ORAM-to-VOS construction sketch Handling malicious servers Open Questions

F VOS Security: Ideal World D OK / abort “op request” query (no input) Client Server VOS Security: Ideal World D OK / abort F “op request” query (no input) st If OK,F updates D locally. OK / abort st response / abort st’ VOS Security. Real-life execution should “simulate” this interaction.

Quick review: FHE A fully homomorphic encryption (FHE) scheme allows: Setup. Outputs (sk, pk) Encrypt. (pk, m) ciphertext [m] Decrypt. (sk, [m]) message m Eval. (C, [m ], …, [m ]) [C(m , …, m )] 1 t 1 t

VOS Construction Sketch: ORAM-to-VOS (semi-honest) Client Server VOS Construction Sketch: ORAM-to-VOS (semi-honest) I need to read/write to index [j]. [st], [ ] read/write to i st [ ] D [st] [j] index [j] index j ... st’ [st’ ],[ ] D’ [st’ ], [ ] response to i st’’

Handling malicious servers Malicious security by applying SNARKs Succinct Non-interactive ARgument of Knowledge for NP Basic properties of SNARKs: Succinct proofs: size = O(k), for security parameter k << n Time to prove “x is in L” ~ size of NP verifier circuit for L Key challenge. Ensure server uses o(n) time to build a SNARK claiming all memory is intact and fresh

Open questions and follow-up work Beat ORAM bandwidth from weaker assumptions? (E.g. no SNARKs) Practical VOS constructions? (No FHE) E.g. [MBC13] with better bounds? More expressive access control? E.g. [WNLSSH14] but with verifiability? Non-interactive RAM evaluation on encrypted data. [AFKLSZ14, GHRW14]

Thank you!