Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Published byFrank Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park."— Presentation transcript:

1 Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park

2 Secure Computation My age is 16 I do not want Bob to know My age is 12 I do not want Alice to know Who is the oldest?

3 Secure Computation Traditional solutions use circuit abstraction >=16?12 No, I am older than Bob OT [Yao, 1982] Garbled Circuit

4 Binary Search Example int bs( alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } How to translate to circuit?

5 Binary Search Example int bs( alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } RAM-to-circuit compiler incurs O(N) cost for each dynamic memory access! Question: can we securely compute this in sub-linear time?

6 Binary Search Example int bs( alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } RAM-to-circuit compiler incurs O(N) cost for each dynamic memory access! Yes! Using Oblivious RAM

7 Oblivious RAM Hide access patterns Poly-logarithmic cost per access ORAM Scheme Read M[i] Implemented as secure computation ORAM Scheme [Goldreich and Ostrovsky, 1996] Hierarchical ORAM [Shi et al., 2011] Binary tree-based ORAM

8 RAM-model Secure Computation Binary Search Example int bs(alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } ORAM initialization of a

9 RAM-model Secure Computation Binary Search Example int bs(alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } left=0 right=n left=0 right=n

10 RAM-model Secure Computation Binary Search Example int bs(alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } Securely compute mid=(left+right)/2 Securely compute mid=(left+right)/2

11 RAM-model Secure Computation Binary Search Example int bs(alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } ORAM access a[mid]

12 RAM-model Secure Computation Binary Search Example int bs(alice int* a, bob int key, public int n) { int left=0, right=n; while(n>0) { int mid = (left+right)/2; if(a[mid]<key) left = mid + 1; else right = mid; n = (n+1)/2; } return left; } Compare a[mid]<key

13 RAM-Model Secure Computation: 2 scenarios Run-once tasks (e.g. Dijkstra Algorithm) Repeated Sublinear-time queries [Gordon et al., 2012]

14 Automating RAM-model Secure Computation SCVM Intermediate Representation Program in source language Secure computation protocol Programmer Crypto Non-Expert Front-end compiler Front-end compiler Back-end compiler Back-end compiler Type Checker UsabilityFormal SecurityEfficiency

15 Automating RAM-model Secure Computation SCVM Intermediate Representation Program in source language Secure computation protocol Programmer Front-end compiler Front-end compiler Back-end compiler Back-end compiler Type Checker UsabilityFormal SecurityEfficiency

16 Automating RAM-model Secure Computation SCVM Intermediate Representation Program in source language Secure computation protocol Programmer Front-end compiler Front-end compiler Back-end compiler Back-end compiler Type Checker UsabilityFormal SecurityEfficiency

17 Toward generating efficient protocol Instruction-trace obliviousness Memory-trace obliviousness Mixed-mode execution

18 Toward generating efficient protocol Instruction-trace obliviousness

19 Program counter leaks information The instructions being executed leak information if(a[mid] <key) l = mid + 1; else r = mid;

20 Program counter leaks information The instructions being executed leak information if(a[mid] <key) l = mid + 1; else r = mid;

21 Program counter leaks information The instructions being executed leak information if(a[mid] <key) l = mid + 1; else r = mid;

22 Program counter leaks information The instructions being executed leak information if(a[mid] <key) l = mid + 1; else r = mid; Universal Circuit Instruction Execute ALL instructions! INEFFICIENT! new pc value

23 Instruction-trace obliviousness if(a[mid] <key) l = mid + 1; else r = mid;t1=a[mid]; cmp = t1<key; t2=mid+1; l=mux(cmp, t2, l); r=mux(cmp, r, mid); Instruction-trace oblivious programs, e.g. straight-line programs, can avoid the universal circuit

24 Toward generating efficient protocol Instruction-trace obliviousness Memory-trace obliviousness

25 Memory Trace Obliviousness int count(public int n, alice int* data, bob int T) { int count = 0; for(int i=0; i<n; ++i) { if(data[i]==T) count = count+1; } data need not be stored in an ORAM RAM Linear scan

26 Memory Trace Obliviousness: SCVM Typing int count(public int n, alice int* data, bob int T) { int count = 0; for(int i=0; i<n; ++i) { if(data[i]==T) count = count+1; } int count(P int n, A int* data, B int T) { O int count = 0; for(P int i=0; i<n; ++i) { if(data[i]==T) count = count+1; }

27 Security Lattice and Type System P AB O Source Program: if(data[i]==T) count = count+1;

28 Security Lattice and Type System P AB O Source Program: if(data[i]==T) count = count+1;

29 Toward generating efficient protocol Instruction-trace obliviousness Memory-trace obliviousness Mixed-mode execution

30 Mix-mode Execution When code can be computed locally or publicly, a secure computation protocol is not necessary E.g. sorting the array before performing binary search.

31 Formal results

32 Evaluated Programs Run-once tasks KMP string matching algorithm Dijkstra’s shortest distance algorithm Inverse Permutation Aggregation over sliding windows Repeated query Binary Search Heap Data Structure

33 Implementation Compiler Implemented in Java A type checker that checks the output of the compiler Backend Garbled Circuit Simulator ORAM Binary tree-based ORAM from [Shi et al., 2011]

34 Performanc e Results Dijkstra’s Shortest Distance

35 Performance Results More results can be found in the paper

36 Conclusion and Future Work The first automated approach for RAM-model secure computation Intermediate Language SCVM for generating efficient secure computation protocol Evaluation shows a speedup of 1-2 orders of magnitude Future work Multiparty Malicious model

37 Thank you!

Download ppt "Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
The Analytical Engine Module 6 Program Translation.

The Analytical Engine Module 6 Program Translation.
Course Overview CS221 – Advanced Programming Fall 2007 : Ray S. Babcock Computer Science Department Montana State University.

Course Overview CS221 – Advanced Programming Fall 2007 : Ray S. Babcock Computer Science Department Montana State University.
Chapter 8 Search and Sort Asserting Java ©Rick Mercer.

Chapter 8 Search and Sort Asserting Java ©Rick Mercer.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
J. Michael Moore Searching & Sorting CSCE 110. J. Michael Moore Searching with Linear Search Many times, it is necessary to search an array to find a.

J. Michael Moore Searching & Sorting CSCE 110. J. Michael Moore Searching with Linear Search Many times, it is necessary to search an array to find a.

Similar presentations

Ads by Google