Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with

Slides:



Advertisements
Similar presentations
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Advertisements

Private Inference Control
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
WHAT MAKES UP A COMPUTER BY SABRINA & BETH. MOTHERBOARD On the Computer, the Motherboard is where all the different parts are connected too work the computer.
Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.
Slide 1 Justin Brickell Donald E. Porter Vitaly Shmatikov Emmett Witchel The University of Texas at Austin Secure Remote Diagnostics.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Microsoft Access Database software. What is a database? … a database is an organized collection of data. A collection of data of similar information compiled.
Secure Incremental Maintenance of Distributed Association Rules.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Click to edit Master title style Framework for Realizing Efficient Secure Computations An introduction to FRESCO Janus Dam Nielsen, ph.d Research and Innovation.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Making Secure Computation Practical IBM: Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk, Tal Rabin, NYU: Victor Shoup SRI: Mariana Raykova Stanford:
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
RESOURCE GUIDE STORED PROGRAM CONCEPT. Understand how the von Neumann architecture is constructed. Understand how the von Neumann architecture works.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
CS779 Term Project Steve Shoyer Section 5 December 9, 2006 Week 6.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CURE: EFFICIENT CLUSTERING ALGORITHM FOR LARGE DATASETS VULAVALA VAMSHI PRIYA.
UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.
A Roadmap towards Machine Intelligence
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
CS523 Database Design Instructor : Somchai Thangsathityangkul You can download lecture note at Class Presence 10% Quiz 10%
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
The Parts of a Computer. The TOWER contains all of the parts of a computer.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Carmit Hazay (Bar-Ilan University, Israel)
15.1 – Introduction to physical-Query-plan operators
iO with Exponential Efficiency
The Parts of a Computer QUIZ.
Laconic Oblivious Transfer and its Applications
Verifiable Oblivious Storage
Secure Multiparty RAM Computation in Constant Rounds
Cryptography for Quantum Computers
Making Secure Computation Practical
Rishab Goyal Venkata Koppula Brent Waters
Alessandra Scafuro Practical UC security Black-box protocols
Key Distribution Reference: Pfleeger, Charles P., Security in Computing, 2nd Edition, Prentice Hall, /18/2019 Ref: Pfleeger96, Ch.4.
Identity Based Encryption from the Diffie-Hellman Assumption
Path Oram An Extremely Simple Oblivious RAM Protocol
Presentation transcript:

Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with Steve Lu, Rafail Ostrovsky and Alessandra Scafuro

Two-party Secure Computation… Yao’s garbled circuits

RAM analogue of Garbled circuits Server User 𝑃, 𝑥 𝑃, 𝑥 𝑃(𝑥) If the running time of the program 𝑃 is 𝑇 then the corresponding circuit is of size 𝑇 3 . Communication complexity and computational complexity of both parties grows with 𝑇 3 .

More Ambitious: Garbled RAM [LO13,GHLORW14] Server User 𝑃 𝑖 , 𝑥 𝑖 𝑃 𝑖 ( 𝑥 𝑖 ) 𝑃 𝑖 , 𝑥 𝑖 Size of garbled database is 𝑂 𝐷 Communication and computation cost grows in 𝑂 𝑇 𝑖 Garbled circuits lead to a solution where the communication and computational cost per program grows with database size.

More Ambitious: Garbled RAM [LO13,GHLORW14] Server User 𝑃 𝑖 , 𝑥 𝑖 𝑃 𝑖 ( 𝑥 𝑖 ) 𝑃 𝑖 , 𝑥 𝑖 ORAM [Goldreich-Ostrovsky] Full-security: Server learns nothing but the output Unprotected Memory Access (UMA): Server learns access pattern. Garbled circuits lead to a solution where the communication and computational cost per program grows with database size.

Landscape: Garbled RAM Known results make non-black box use of OWFs [LO13, GHLORS14, GLOS15] OWF can’t be modeled as a random oracle Focus of this talk: do it using only black-box use of OWFs? Qualitatively better efficiency [GLO15] Not talk about succinct constructions based on iO [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]

Outline of the rest of the talk RAM model LO13 approach ([GHLORW13, GLOS15] are similar) Technical bottleneck in realizing black-box construction High level idea of black-box construction [GLO15]

RAM Model Writes require additional work but let’s ignore that! next index read 2 next index read 3 next index CPU step 1 CPU step 2 CPU step 3 Writes require additional work but let’s ignore that!

LO13 approach Use garbled circuits! next index next index next index read 1 next index read 2 next index read 3 next index CPU step 1 CPU step 2 CPU step 3 Use garbled circuits!

LO13 approach Translate what is in the memory 1) garbling memory read 1 next index read 2 next index read 3 next index CPU step 1 CPU step 2 CPU step 3 Translate what is in the memory 1) garbling memory 2) translate table How do reads work? Access pattern is revealed!

LO13 approach 𝑏 𝑖 𝑖 𝑃𝑅 𝐹 𝐾 (𝑖,𝑏 𝑖 ) STEP 1: garbling of the memory read 1 next index read 2 next index read 3 next index CPU step 1 CPU step 2 CPU step 3 PRF key K to garble

LO13 approach 𝑏 𝑖 𝑖 𝑃𝑅 𝐹 𝐾 (𝑖,𝑏 𝑖 ) 𝑗 𝑠 0 , 𝑠 1 STEP 2: translate table 𝑏 𝑖 𝑖 𝑃𝑅 𝐹 𝐾 (𝑖,𝑏 𝑖 ) 𝑗 read 1 next index read 2 next index read 3 next index 𝑠 0 , 𝑠 1 CPU step 1 CPU step 2 CPU step 3 K K K 𝐸𝑛𝑐(𝑃𝑅 𝐹 𝐾 𝑗,0 , 𝑠 0 ) PRF key K to garble 𝐸𝑛𝑐(𝑃𝑅 𝐹 𝐾 𝑗,1 , 𝑠 1 )

Technical Bottleneck The data needs to be encrypted so that the server doesn’t learn it! CPU step garbled circuits need to decrypt the read values internally Need of black-box use of cryptography seems inherent

GLO15 high level idea Garbled memory comprises of a collection of garbled circuits with data values hardwired in them Read implemented by a sub-routine call Control flow is passed to memory circuits

GLO15 – for one read only 𝑗, 𝑠 0 , 𝑠 1 𝑏 1 𝑏 2 ………

Memory no longer useful! GLO15 – for one read only Say 𝑗 = 2 𝑗, 𝑠 0 , 𝑠 1 Memory no longer useful! 𝑏 1 𝑏 2 ……… Outputs 𝑠 𝑏 2

GLO15 – for 𝑚 reads only Say 𝑗 = 2 Assume uniform memory accesses. 𝑏 1 𝑗, 𝑠 0 , 𝑠 1 ……… ……… ……… How many backups? How do we connect them? Assume uniform memory accesses. 𝑏 1 𝑏 2 ……… ……… ……… Outputs 𝑠 𝑏 2

How to connect backups? ……… ………

How to connect backups? ……… ………

How to connect backups? ……… ……… Problem: Number of keys hardcoded in each circuit needs to keep grow. But not all, because of uniform memory access 𝑇 reads can cause an imbalance of √𝑇

Our Fix: Moving window

Our Fix: Moving window Ensure that next unused children remain in window: Have 1 + 𝜖 times the garbled circuits needed and perform artificial consumption if lagging from window. Over-consumption beyond this does not happen

GLO15 – for unbounded reads Replenish memory in an oblivious way After 𝑚 reads have been performed, memory has been replenished to support 𝑚 more reads ……… Add more garbled circuits to each queue! This process can be amortized! ……… ……… 𝑏 1 𝑏 2 ……… ……… ………

Security proof - other issues Circularity issue Input labels of one garbled circuit are hardcoded in quite a few other garbled circuits We remove this issue in our final solution Input labels of one garbled circuit are provided by different sources at different times

Conclusion Remove this barrier Cryptography for RAM computation Secure RAM computation Typically large round complexity Barrier to efficiency – non-black box use Remove this barrier Expect consequences in efficient constructions with weaker security…

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.