Presentation is loading. Please wait.

Presentation is loading. Please wait.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Published byElmer Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova."— Presentation transcript:

1 Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova

2 Goals of Garbled RAM An analogue of Yao garbled circuits [Yao82] that directly garbles Random Access Machines (RAM). Avoid efficiency loss of converting a RAM to a circuit. – Google search vs. reading the Internet. First proposed/constructed by [Lu-Ostrovsky 13]. – Proof of security contains subtle flaw (circularity problem). This works: new constructions with provable security.

3 Garbled RAM Definition Client Server secret: k

4 Garbled RAM Definition Client Server secret: k

5 Weak vs. Full Security

6 read-only computation.For now, Overview of [Lu-Ostrovsky 13]

7 read bit Memory Data D= CPU Step 1 Read location: i CPU Step 2 … state …

8 read bit Memory Data D= CPU Step 1 Read location: i CPU Step 2 … state … garbled circuit garbled garbled circuit garbled GProg: GInp

9 read bit CPU Step 1 Read location: i CPU Step 2 state … garbled circuit garbled garbled circuit garbled GProg: GInp GData: …

10 read bit CPU Step 1 CPU Step 2 state … garbled circuit garbled garbled circuit garbled GProg: GInp GData: … PRF Key: k Read location: i

11 Let’s try to prove security… read bit CPU Step 2 PRF Key: k … state garbled garbled circuit CPU Step 1 state garbled PRF Key: k Read location: i garbled circuit

12 Use security of 1 st garbled circuit only learn output read bit state CPU Step 2 PRF Key: k … garbled circuit labels garbled state

13 Use security of 1 st garbled circuit only learn output read bit state CPU Step 2 PRF Key: k … garbled circuit (assume D[i]=1) labels garbled state

14 read bit state CPU Step 2 PRF Key: k … garbled circuit labels garbled state Use security of 2 nd garbled circuit Use security of Encryption/PRF don’t learn PRF key k

15 Circularity* Problem! * May appear rectangular

16 So is it secure? Perhaps, but… – No proof. – No “simple” circularity assumption on one primitive.

17 Can we fix it? Yes! Fix 1 : – Using identity-based encryption (IBE). Fix 2 : – Only use one-way functions. – Bigger overhead.

18 The Fix Public-key instead of symmetric-key encryption. – Garbled circuits have hard-coded public key. – Break circularity: security of ciphertexts holds even given public-key hard-coded in all garbled circuits. Caveat: need identity-based encryption (IBE) – Original solution used “Sym-key IBE”.

19 Garbled Memory … Read location: i read bit CPU Step 2 PRF Key: k state CPU Step 1 PRF Key: k state Encrypt to identities (i,0) and (i,1) Master SK

20 Garbled Memory … Read location: i read bit CPU Step 2 state CPU Step 1 MPK state MPK Encrypt to identities (i,0) and (i,1) Master PK

21 How to allow writes? read bit CPU Step 1 Read location i CPU Step 2 state … Write location j, bit b Predictably-Timed Writes: Whenever read location i, “know” its last-write-time u. Any Program Compiler

22

23

24 Timed IBE (TIBE): restricted notion of HIBE.

25 … … …

26 read bit CPU Step 2 state CPU Step 1 state Garbled Memory …

27 Read: i, (last-write time: u) read bit CPU Step 2 state CPU Step 1 state Garbled Memory … Write: i’, bit b

28

29 Thank You!

Download ppt "Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova."

Similar presentations

PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

Similar presentations

Ads by Google