adaptively secure succinct garbled ram with persistent...
TRANSCRIPT
1
Adaptively Secure Succinct Garbled RAM with Persistent Memory
Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova
DIMACS workshopMIT Media LabJune 8~10, 2016
2
: June 11, 2016, Boston, heavy snow.
3
: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring.
4
: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring.
Alice
5
: June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring.
: Instead of submitting to STOC, she thinks it’s cool to write a program and show off to her friends.
6
> Factoring.hs RSA2048
7
> Factoring.hs RSA2048Running time 7 hrs 34 mins25195908475…20720357 = 83990...4079279 x 3091701...723883
Next question
8
: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party.
9
: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party.
: So she turns to cloud, but clouds are big brothers
10
: It is slow on her laptop (quasi-polynomial time, you know) … cannot fit into a party.
: So she turns to cloud, but clouds are big brothers
: She heard that one can delegate the computation in a way that the server learns only the output of the computation but nothing else
11
“My friends and NSA will be shocked by the runtime without learning anything other than the output”
12
“The algorithm has huge preprocessing, stores lots of non-zero points on the Zeta function ...”
“My friends and NSA will be shocked by the runtime without learning anything other than the output”
13
“The algorithm has huge preprocessing, stores lots of non-zero points on the Zeta function ...”
“My friends and NSA will be shocked by the runtime without learning anything other than the output”
“Wait ... the audiences already know too much.”
14
> sudo apt-get install FHE
15
> sudo apt-get install FHE> FHE Factoring.hs
16
> sudo apt-get install FHE> FHE Factoring.hsTurning the program into circuits ...
17
> sudo apt-get install FHE> FHE Factoring.hsTurning the program into circuits ...^C
18
> sudo apt-get install FHE> FHE Factoring.hsTurning the program into circuits ...^C>> sudo apt-get install Yao> Yao Factoring.hs
19
> sudo apt-get install FHE> FHE Factoring.hsTurning the program into circuits ...^C>> sudo apt-get install Yao> Yao Factoring.hsStill turning the program into circuits ...
#Yao
20
> sudo apt-get install FHE> FHE Factoring.hsTurning the program into circuits ...^C>> sudo apt-get install Yao> Yao Factoring.hsStill turning the program into circuits ...^C^C^C^C^C^C^C>
21
> sudo apt-get install GRAM_Lu_Ostrovsky> GRAM_Lu_Ostrovsky Factoring.hs
22
> sudo apt-get install GRAM_Lu_Ostrovsky> GRAM_Lu_Ostrovsky Factoring.hsWarning: Program size as big as the running time, continue (y) or not (n)
23
> sudo apt-get install GRAM_Lu_Ostrovsky> GRAM_Lu_Ostrovsky Factoring.hsWarning: Program size as big as the running time, continue (y) or not (n)n>
24
> sudo apt-get install PRAM
25
> sudo apt-get install PRAM> PRAM Factoring.hs
26
> sudo apt-get install PRAM> PRAM Factoring.hsDone -> PRAM_Factoring
27
> sudo apt-get install PRAM> PRAM Factoring.hsDone -> PRAM_Factoring> PRAM_Factoring RSA2048
28
> sudo apt-get install PRAM> PRAM Factoring.hsDone -> PRAM_Factoring> PRAM_Factoring RSA2048Warning: cannot adaptively choose functions or inputs, security at user’s own risk, continue (y) or not (n)
29
> sudo apt-get install PRAM> PRAM Factoring.hsDone -> PRAM_Factoring> PRAM_Factoring RSA2048Warning: cannot adaptively choose functions or inputs, security at user’s own risk, continue (y) or not (n)n
30
“Don’t turn into circuits, don’t blow up too much”
“Adaptively pick integers”
“Huge amount of preprocessed data reusable”
31
Garbling/randomized encoding for RAM with persistent memory
32
Garbling/randomized encoding for RAM with persistent memory
mskGen =>
33
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
34
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
P1msk + => G(P1)
35
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
P1msk + => G(P1)
G(P1)Eval G(D0) => P1(D0)
36
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
P1msk + => G(P1)
G(P1)Eval G(D0) => G(D1)P1(D0)
Persistency
37
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
P1msk + => G(P1)
G(P1)Eval G(D0) => G(D1)P1(D0)
P2msk + => G(P2)
Persistency
38
Garbling/randomized encoding for RAM with persistent memory
D0
mskGen =>
msk + => G(D0)
P1msk + => G(P1)
G(P1)Eval G(D0) => G(D1)P1(D0)
P2msk + => G(P2)
G(P2)Eval G(D1) => G(D2)P2(D1)
...
Persistency
39
Garbling/randomized encoding for RAM with persistent memory
D0
G(D0)
P1
G(P1)
Succinct
40
Garbling/randomized encoding for RAM with persistent memory
?
?
P1(D0)
Adaptively simulation
secure
41
Garbling/randomized encoding for RAM with persistent memory
? => G(D0)
? => G(P1)
G(P1)G(D0) <= G(D1)P1(D0)
Adaptively simulation
secure
42
Garbling/randomized encoding for RAM with persistent memory
? => G(D0)
? => G(P1)
G(P1)G(D0) <= G(D1)P1(D0)
?
G(D1) P2(D1)
Adaptively simulation
secure
43
Garbling/randomized encoding for RAM with persistent memory
? => G(D0)
? => G(P1)
G(P1)G(D0) <= G(D1)P1(D0)
? => G(P2)
G(P2)G(D1) <= G(D2)P2(D1)
Adaptively simulation
secure
44
Theorem
45
[Main Theorem]
Adaptively secure succinct garbled RAM with persistent memoryfrom indistinguishability obfuscation for circuits, and poly-to-1 collision-resistant hash function.
46
Starring
47
Indistinguishability Obfuscator
48
iO[ F0 ] ≈ iO[ F1 ]
if F0 and F1 have identical functionality
Indistinguishability Obfuscator for circuits
Candidate constructions:[Garg-Gentry-Halevi-Raykova-Sahai-Waters ‘13], [Barak-Garg-Kalai-Paneth-Sahai ‘14], [Brakerski-Rothblum ‘14], [Pass-Seth-Telang ‘14], [Zimmerman ‘15], [Applebaum-Brakerski ‘15], [Ananth-Jain ‘15], [Bitansky-Vaikuntanathan ‘15], [Gentry-Gorbunov-Halevi ‘15], [Lin ‘16], …
Cryptanalyses:[Cheon-Han-Lee-Ryu-Stehle ‘15], [Coron et al ‘15], [Miles-Sahai-Zhandry ‘16], ...
Defined by [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang ‘01]
Security:
49
Poly-to-oneCollision Resistant Hash function
50
Poly-to-one collision resistant hash functions
H is collision resistant + each image has at most poly preimages.
[Thm] Exists for constant c, assuming Factoring or Discrete-log is hard.
51
The rest of the talk:
1. The main idea of the construction. 2. The technical heart: adaptively-enforceable accumulator.3. Wrap up, and the easiest ways to think of our scheme.
52
Starting point: Canetti-Holmgren’s selective secure scheme.
53
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
54
You never know how hard it is to use iO before actually play with it.
[ said Justin Holmgren, June 22, 2015, sunny ]
55
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
56
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique]
57
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique]
q can be different[encrypt the state]
58
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
59
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
60
Starting point: Canetti-Holmgren’s selective secure scheme.
High-level idea of the Canetti-Holmgren construction:Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories.
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
61
Canetti-Holmgren (ITCS16)
62
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
63
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
Koppula-Lewko-Waters (STOC15)(iO-friendly) Iterator(iO-friendly) Accumulator(iO-friendly) Splittable signature
64
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
Koppula-Lewko-Waters (STOC15)(iO-friendly) Iterator(iO-friendly) Accumulator(iO-friendly) Splittable signature
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
65
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
Koppula-Lewko-Waters (STOC15)(iO-friendly) Iterator(iO-friendly) Accumulator(iO-friendly) Splittable signature
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
initi
alize
G(D0)
66
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
Koppula-Lewko-Waters (STOC15)(iO-friendly) Iterator(iO-friendly) Accumulator(iO-friendly) Splittable signature
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
initi
alize
Authenticate
G(D0)
G(Pi+1)
key
67
Canetti-Holmgren (ITCS16) + Zoom-in the core step:
Koppula-Lewko-Waters (STOC15)(iO-friendly) Iterator(iO-friendly) Accumulator(iO-friendly) Splittable signature
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
initi
alize
Authenticate
update
G(D0)
G(Pi+1)
G(Di+1)
key
68
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
69
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.
#Merkletree
70
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.
#Merkletree
71
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.
#Merkletree
72
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.
#Merkletree
73
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.- Enforcement (iO-friendly property):
there’s only one preimage x* of the current root value y*.
#Merkletree
y*
x*
74
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.- Enforcement (iO-friendly property):
there’s only one preimage x* of the current root value y*.
Impossible information theoretically.
#Merkletree
y*
x*
75
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.- Enforcement (iO-friendly property):
there’s only one preimage x* of the current root value y*.
Impossible information theoretically.
KLW’s computational enforcement: Normal.Gen( )->HEnforce.Gen( x*, y*)->H*, H ≈ H*
#Merkletree
y*
x*
76
Canetti-Holmgren (ITCS16) + Zoom-in the core step:++ Zoom-in the accumulator
Properties needed for the Accumulator- Normal property like a Merkle-tree.- Enforcement (iO-friendly property):
there’s only one preimage x* of the current root value y*.
Impossible information theoretically.
KLW’s computational enforcement: Normal.Gen( )->HEnforce.Gen( x*, y*)->H*, H ≈ H*
Alternatively: SSB hashing => [Ananth-Chen-Chung-Lin-Lin]
#Merkletree
y*
x*
77
Selective Enforcing Adaptive Enforcing
78
Selective Enforcing Adaptive Enforcing
x* <= Adversary
79
Gen( ) => H
Selective Enforcing Adaptive Enforcing
Enforcing(x*, y*) => H*
x* <= Adversary
80
Gen( ) => H
Selective Enforcing Adaptive Enforcing
Enforcing(x*, y*) => H*
Gen( ) => Hx* <= Adversary
81
Gen( ) => H
Selective Enforcing Adaptive Enforcing
Enforcing(x*, y*) => H*
Gen( ) => H
x* <= Adversary(H)
x* <= Adversary
82
Gen( ) => H
Selective Enforcing Adaptive Enforcing
Enforcing(x*, y*) => H*
Gen( ) => H
Enforcing(x*, y*) => H*
x* <= Adversary(H)
x* <= Adversary
83
( … wait, what?)
Gen( ) => H
Selective Enforcing Adaptive Enforcing
Enforcing(x*, y*) => H*
Gen( ) => H
Enforcing(x*, y*) => H*
x* <= Adversary(H)
x* <= Adversary
84
#Mindblowing
85
Fact ICan separate the key
86
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
initi
alize
Authenticate
update
G(D0)
G(Pi+1)
G(Di+1)
key
key hk vk= +
87
What is written in eprint 2015/1074
Accumulator iO-friendly Merkle-tree
initi
alize
Authenticate
update
G(D0)
G(Pi+1)
G(Di+1)
key
key hk vk= +
hk
vk
hk
88
Adaptive Enforcing
hk
89
Adaptive Enforcing
x* <= Adversary( hk )
hk
90
Adaptive Enforcing
x* <= Adversary( hk )
hk
vk vk*(x*) ≈
91
Fact IIIf you believe diO ...
92
Adaptive Enforcingkey hk vk= +
93
Adaptive Enforcingkey hk vk= +
hk
always_hk_Gen( ) -> hk := CRHF key h
94
Adaptive Enforcing
x* <= Adversary(H)
key hk vk= +
hk
always_hk_Gen( ) -> hk := CRHF key h
95
Adaptive Enforcing
x* <= Adversary(H)
key hk vk= +
hk
vk
always_hk_Gen( ) -> hk := CRHF key h
normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 )
96
Adaptive Enforcing
x* <= Adversary(H)
key hk vk= +
hk
vk vk*(x*)
always_hk_Gen( ) -> hk := CRHF key h
normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 )
enforce_vk_Gen( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )
≈
97
Fact III:If you don’t believe diO, can still do this with iO.
98
From iO + preimage-bounded CRHF:
c-to-1 CRHF can be constructed from discrete-log or factoring
99
From iO + preimage-bounded CRHF:
c-to-1 CRHF can be constructed from discrete-log or factoring
enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )
100
From iO + preimage-bounded CRHF:
c-to-1 CRHF can be constructed from discrete-log or factoring
enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )
By diO-iO equivalence lemma [ Boyle-Chung-Pass ‘14 ]:“ If f1 and f2 differ only on polynomially many input-output values, and they are hard to find, then iO(f1) ≈ iO(f2) ”
101
From iO + preimage-bounded CRHF:
c-to-1 CRHF can be constructed from discrete-log or factoring
enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 )
From shrinking 1 bit to length-halving: Merkle-Damgaard.
102
Fact IV:Adaptive Enforceable
Accumulator done
103
Rest of the upgrades:
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique. Assume iO]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
104
Rest of the upgrades:
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique. Assume iO]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
+ adaptively enforceable accumulator [ from iO+dlog or factoring ]
105
Rest of the upgrades:
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique. Assume iO]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
Need a special property of the ORAM“Strong local randomness”, satisfied by Chung-Pass ORAM.With this property, can “guess” polynomially many addresses.
+ adaptively enforceable accumulator [ from iO+dlog or factoring ]
106
Rest of the upgrades:
Canetti-Holmgren scheme details:Fixed-transcript => Fixed-access => Fixed-address => Fully secure
Indistinguishable as long as transc = (q, op) are the same.[KLW-technique. Assume iO]
q can be different[encrypt the state]
Memory content can be different[encrypt the data]
Hide access pattern.[oram]
Need a special property of the ORAM“Strong local randomness”, satisfied by Chung-Pass ORAM.With this property, can “guess” polynomially many addresses.
[Ananth-Chen-Chung-Lin-Lin, eprint 2015/1082] can be viewed as accomplishing this for all the steps.
+ adaptively enforceable accumulator [ from iO+dlog or factoring ]
SSB hash [Hubacek-W
ichs]
[OPWW
]
107
Summary
1. Adaptively secure garbled RAM with persistent memory. 2. Everything is succinct.3. Upgrading to delegation with verifiability is almost for free.4. “Reusability” is natural.5. New iO-friendly tool: adaptively-enforceable accumulator (from
iO+Preimage-bounded-CRHF)
108
Scenes
109
110
> sudo apt-get install GRAM_Canetti_Holmgren
111
> sudo apt-get install GRAM_Canetti_Holmgrenpackage indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)
112
> sudo apt-get install GRAM_Canetti_Holmgrenpackage indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)y
113
> sudo apt-get install GRAM_Canetti_Holmgrenpackage indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)y> upgrade GRAM_CCHRDone
114
> sudo apt-get install GRAM_Canetti_Holmgrenpackage indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)y> upgrade GRAM_CCHRDone > NSAcloud: GRAM_CCHR_Factoring RSA2048
115
> sudo apt-get install GRAM_Canetti_Holmgrenpackage indistinguishability_obfuscation not an accepted assumption, security at user’s own risk, continue (y) or not (n)y> upgrade GRAM_CCHRDone > NSAcloud: GRAM_CCHR_Factoring RSA2048Running time 1.0s25195908475…20720357 = 83990...4079279 x 3091701...723883
Next question