Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Slides:



Advertisements
Similar presentations
PRATYAY MUKHERJEE Aarhus University Joint work with
Advertisements

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
On the Implausibility of Differing-Inputs Obfuscation (and Extractable Witness Encryption) with Auxiliary Input Daniel Wichs (Northeastern U) with: Sanjam.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with
Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Functional Encryption: An Introduction and Survey Brent Waters.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.
Definition and applications Lossy Trapdoor Functions 2.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.
Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.
1 Information Security – Theory vs. Reality , Winter Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Somewhat Homomorphic Encryption.
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Bounded key-dependent message security
Laconic Oblivious Transfer and its Applications
Verifiable Oblivious Storage
Secure Multiparty RAM Computation in Constant Rounds
Cryptography Lecture 6.
Rishab Goyal Venkata Koppula Brent Waters
Identity Based Encryption from the Diffie-Hellman Assumption
Path Oram An Extremely Simple Oblivious RAM Protocol
Presentation transcript:

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova

Goals of Garbled RAM An analogue of Yao garbled circuits [Yao82] that directly garbles Random Access Machines (RAM). Avoid efficiency loss of converting a RAM to a circuit. – Google search vs. reading the Internet. First proposed/constructed by [Lu-Ostrovsky 13]. – Proof of security contains subtle flaw (circularity problem). This works: new constructions with provable security.

Garbled RAM Definition Client Server secret: k

Garbled RAM Definition Client Server secret: k

Weak vs. Full Security

read-only computation.For now, Overview of [Lu-Ostrovsky 13]

read bit Memory Data D= CPU Step 1 Read location: i CPU Step 2 … state …

read bit Memory Data D= CPU Step 1 Read location: i CPU Step 2 … state … garbled circuit garbled garbled circuit garbled GProg: GInp

read bit CPU Step 1 Read location: i CPU Step 2 state … garbled circuit garbled garbled circuit garbled GProg: GInp GData: …

read bit CPU Step 1 CPU Step 2 state … garbled circuit garbled garbled circuit garbled GProg: GInp GData: … PRF Key: k Read location: i

Let’s try to prove security… read bit CPU Step 2 PRF Key: k … state garbled garbled circuit CPU Step 1 state garbled PRF Key: k Read location: i garbled circuit

Use security of 1 st garbled circuit only learn output read bit state CPU Step 2 PRF Key: k … garbled circuit labels garbled state

Use security of 1 st garbled circuit only learn output read bit state CPU Step 2 PRF Key: k … garbled circuit (assume D[i]=1) labels garbled state

read bit state CPU Step 2 PRF Key: k … garbled circuit labels garbled state Use security of 2 nd garbled circuit Use security of Encryption/PRF don’t learn PRF key k

Circularity* Problem! * May appear rectangular

So is it secure? Perhaps, but… – No proof. – No “simple” circularity assumption on one primitive.

Can we fix it? Yes! Fix 1 : – Using identity-based encryption (IBE). Fix 2 : – Only use one-way functions. – Bigger overhead.

The Fix Public-key instead of symmetric-key encryption. – Garbled circuits have hard-coded public key. – Break circularity: security of ciphertexts holds even given public-key hard-coded in all garbled circuits. Caveat: need identity-based encryption (IBE) – Original solution used “Sym-key IBE”.

Garbled Memory … Read location: i read bit CPU Step 2 PRF Key: k state CPU Step 1 PRF Key: k state Encrypt to identities (i,0) and (i,1) Master SK

Garbled Memory … Read location: i read bit CPU Step 2 state CPU Step 1 MPK state MPK Encrypt to identities (i,0) and (i,1) Master PK

How to allow writes? read bit CPU Step 1 Read location i CPU Step 2 state … Write location j, bit b Predictably-Timed Writes: Whenever read location i, “know” its last-write-time u. Any Program Compiler

Timed IBE (TIBE): restricted notion of HIBE.

… … …

read bit CPU Step 2 state CPU Step 1 state Garbled Memory …

Read: i, (last-write time: u) read bit CPU Step 2 state CPU Step 1 state Garbled Memory … Write: i’, bit b

Thank You!