a language for probabilistically oblivious computation
play

A Language for Probabilistically Oblivious Computation David Darais - PowerPoint PPT Presentation

A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks Secure Storage S[42] secret Cloud You s = S[42] Storage S[s] secret Implementation = encrypt the data Read/write indices


  1. 
 A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks

  2. Secure Storage S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data Read/write indices in the clear , cannot depend on secrets 2

  3. Oblivious RAM S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data and garble indices Read/write indices can depend on secrets 3

  4. λ -obliv 4

  5. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation S[secret] (read) Oblivious 
 Types , semantics , and proofs for probabilistic programs RAM S[secret] ← secret (write) Publicly available implementation 5

  6. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation Types , semantics , and proofs for probabilistic programs Publicly available implementation 6

  7. ORAM basics λ -obliv design λ -obliv proof 7

  8. Memory Trace Obliviousness (MTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values MTO if you can’t infer secret values from observations 8

  9. Baby Not-secure ORAM Adversary Observations -- upload secrets S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r = S[s] -- NOT OK 9

  10. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s r = S[s] -- NOT OK 10

  11. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s s r = S[s] -- NOT OK Violates Memory Trace Obliviousness (MTO) 11

  12. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 12

  13. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 13

  14. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 1 Satisfies MTO, but ine ffi cient 14

  15. Probabilistic Memory Trace Obliviousness (PMTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values AND random samples (coin flips) PMTO if you can’t infer secret values from observations 15

  16. Baby Tree ORAM -- upload secrets b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 -- read secret index s r = S[b ⊕ s] Violates secure data/information flow 
 Satisfies Probabilistic Memory Trace Obliviousness (PMTO) 16

  17. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 17

  18. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 18

  19. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 19

  20. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 0 output(b) after S[b ⊕ s] would be problematic! 20

  21. ORAM basics λ -obliv design λ -obliv proof 21

  22. λ -obliv design challenge How to: Allow direct flows from uniform secrets to public values Prevent revealing any value correlated with a secret 22

  23. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions A ffi ne, uniformly distributed secret random values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region (elements in a join semilattice) 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x - | e ⊕ e -- xor Values in same region may be prob. dependent | mux(e, e, e) -- atomic mux - Values in strictly ordered regions guaranteed prob. independent | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 23

  24. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Non-a ffi ne, possibly random secret values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region, ℓ = information flow label 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor - Region tracks prob. dependence on random values | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 24

  25. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x Standard features like references and functions | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 25

  26. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux New random values are allocated in static region | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 26

  27. 
 λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Escape hatches e ⩴ … needed to | flip[R]() -- create uniform secrets implement | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x ORAM | e ⊕ e -- xor | mux(e, e, e) -- atomic mux castP : flip[R] → bit[ ⊥ ,P] (consuming) 
 | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals castS : flip[R] → bit[R,S] (non-consuming) | λ x.e | e(e) -- functions 27

  28. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 28

  29. Taming the escape hatches A ffi ne 
 Types e ⩴ … | castP(e) | castS(x) Probability 
 Regions 29

  30. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 30

  31. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 31

  32. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 32

  33. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 33

  34. Affinity in Action s b ₁ b ₂ b ₃ b ₁ , b ₂ = flip[R1](), flip[R2]() 0 0 0 0 b ₃ , _ = mux(s, b ₁ , b ₂ ) 1 0 0 0 -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK 0 1 0 0 -- none of b ₁ , b ₂ , b ₃ uniform 1 1 0 1 output(castP(b ₁ )) -- NOT OK 0 0 1 1 1 0 1 0 0 1 1 1 1 1 1 1 34

Recommend


More recommend