a language for probabilistically oblivious computation
play

A Language for Probabilistically Oblivious Computation David Darais - PowerPoint PPT Presentation

Mar 25, 2023 •182 likes •787 views

A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks Secure Storage S[42] secret Cloud You s = S[42] Storage S[s] secret Implementation = encrypt the data Read/write indices

  1. 
 A Language for Probabilistically Oblivious Computation David Darais , Ian Sweet, Chang Liu, Michael Hicks

  2. Secure Storage S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data Read/write indices in the clear , cannot depend on secrets 2

  3. Oblivious RAM S[42] ← secret Cloud You s = S[42] Storage S[s] ← secret Implementation = encrypt the data and garble indices Read/write indices can depend on secrets 3

  4. λ -obliv 4

  5. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation S[secret] (read) Oblivious 
 Types , semantics , and proofs for probabilistic programs RAM S[secret] ← secret (write) Publicly available implementation 5

  6. λ -obliv …is for implementing oblivious algorithm Secure databases and secure multiparty computation Types , semantics , and proofs for probabilistic programs Publicly available implementation 6

  7. ORAM basics λ -obliv design λ -obliv proof 7

  8. Memory Trace Obliviousness (MTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values MTO if you can’t infer secret values from observations 8

  9. Baby Not-secure ORAM Adversary Observations -- upload secrets S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r = S[s] -- NOT OK 9

  10. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s r = S[s] -- NOT OK 10

  11. Baby Not-secure ORAM Adversary Observations -- upload secrets 0 S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 1 -- read secret index s s r = S[s] -- NOT OK Violates Memory Trace Obliviousness (MTO) 11

  12. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 S[1] ← s ₁ -- write secret 1 -- read secret index s r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 12

  13. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 13

  14. Baby Trivial ORAM Adversary -- upload secrets Observations S[0] ← s ₀ -- write secret 0 0 S[1] ← s ₁ -- write secret 1 -- read secret index s 1 r ₀ = S[0] -- read secret 0 0 r ₁ = S[1] -- read secret 1 r, _ = mux(s, r ₀ , r ₁ ) -- MTO 1 Satisfies MTO, but ine ffi cient 14

  15. Probabilistic Memory Trace Obliviousness (PMTO) Adversary can see: Public values Program counter Memory (and array) access patterns Adversary can’t see: Secret values AND random samples (coin flips) PMTO if you can’t infer secret values from observations 15

  16. Baby Tree ORAM -- upload secrets b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 -- read secret index s r = S[b ⊕ s] Violates secure data/information flow 
 Satisfies Probabilistic Memory Trace Obliviousness (PMTO) 16

  17. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 17

  18. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 18

  19. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 1 19

  20. Baby Tree ORAM Truth table for b ⊕ s b S b ⊕ s -- upload secrets 0 0 0 b = flip-coin() -- randomness s ₀′ , s ₁′ = mux(b, s ₀ , s ₁ ) 1 0 1 S[0] ← s ₀′ -- write secret 0 or 1 S[1] ← s ₁′ -- write secret 1 or 0 0 1 1 -- read secret index s r = S[b ⊕ s] 1 1 0 Observation: b ⊕ s = 0 output(b) after S[b ⊕ s] would be problematic! 20

  21. ORAM basics λ -obliv design λ -obliv proof 21

  22. λ -obliv design challenge How to: Allow direct flows from uniform secrets to public values Prevent revealing any value correlated with a secret 22

  23. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions A ffi ne, uniformly distributed secret random values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region (elements in a join semilattice) 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x - | e ⊕ e -- xor Values in same region may be prob. dependent | mux(e, e, e) -- atomic mux - Values in strictly ordered regions guaranteed prob. independent | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 23

  24. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Non-a ffi ne, possibly random secret values 
 e ⩴ … | flip[R]() -- create uniform secrets R = probability region, ℓ = information flow label 
 | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor - Region tracks prob. dependence on random values | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 24

  25. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x Standard features like references and functions | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 25

  26. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux New random values are allocated in static region | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 26

  27. 
 λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions Escape hatches e ⩴ … needed to | flip[R]() -- create uniform secrets implement | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x ORAM | e ⊕ e -- xor | mux(e, e, e) -- atomic mux castP : flip[R] → bit[ ⊥ ,P] (consuming) 
 | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals castS : flip[R] → bit[R,S] (non-consuming) | λ x.e | e(e) -- functions 27

  28. λ -obliv features τ ⩴ … | flip[R] -- uniform secrets | bit[R, ℓ ] -- bits | ref( τ ) -- references | τ → τ -- functions e ⩴ … | flip[R]() -- create uniform secrets | castP(e) -- reveal uniform secrets | castS(x) -- non-affine use of x | e ⊕ e -- xor | mux(e, e, e) -- atomic mux | read(e) -- reference read | write(e, e) -- reference write | if(e){e}{e} -- conditionals | λ x.e | e(e) -- functions 28

  29. Taming the escape hatches A ffi ne 
 Types e ⩴ … | castP(e) | castS(x) Probability 
 Regions 29

  30. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 30

  31. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 31

  32. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 32

  33. Affinity in Action b ₁ , b ₂ = flip[R1](), flip[R2]() b ₃ , _ = mux(s, b ₁ , b ₂ ) -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK -- none of b ₁ , b ₂ , b ₃ uniform output(castP(b ₁ )) -- NOT OK 33

  34. Affinity in Action s b ₁ b ₂ b ₃ b ₁ , b ₂ = flip[R1](), flip[R2]() 0 0 0 0 b ₃ , _ = mux(s, b ₁ , b ₂ ) 1 0 0 0 -- each of b ₁ , b ₂ , b ₃ uniform output(castP(b ₃ )) -- OK 0 1 0 0 -- none of b ₁ , b ₂ , b ₃ uniform 1 1 0 1 output(castP(b ₁ )) -- NOT OK 0 0 1 1 1 0 1 0 0 1 1 1 1 1 1 1 34

Recommend

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a proof? Statement: A formula is satisfiable. Proof: assignment, a . Property: 5 minute presentations. Can check proof in polynomial time. A real

401 views • 3 slides
k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits Fabrice Benhamouda Huijia (Rachel) Lin IBM Research / Columbia University, US University of California, Santa Barbara, US Eurocrypt 2018, May 1,

1.03k views • 85 slides
Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search Ph.D. Dissertation Defense Zeeshan Pervez Department of Computer Engineering Kyung Hee University, Global Campus, Korea email:

650 views • 24 slides
Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation

Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation

Music, Language and Computation Aline Honingh Guest lecture in Logic, Language and Computation Music at the ILLC l Henkjan Honing music cognition l Fleur Bouwer l Gabor Haden l Rens Bod computational musicology l Aline

532 views • 39 slides
Me & the UO Language Variation & Computation Lab Sociophonetician and

Me & the UO Language Variation & Computation Lab Sociophonetician and

T. Kendall (U Oregon) Social and Cognitive Aspects of Language Variation and Change Me & the UO Language Variation & Computation Lab Sociophonetician and sociolinguist In terms of speech technology, researching variation and

202 views • 5 slides
1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation,

1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation,

1 COMPUTATION AS SOCIAL AGENCY: WHAT AND HOW ILLC course Logic, Language & Computation, Amsterdam, 10 December 2013 Johan van Benthem, Amsterdam & Stanford, http://staff.science.uva.nl/~johan Turing Year, Manchester Logic

198 views • 4 slides
Evolutionary Computation Computational Procedures patterned after biological evolution

Evolutionary Computation Computational Procedures patterned after biological evolution

Evolutionary Computation Computational Procedures patterned after biological evolution Search procedure that probabilistically applies search operators to set of points in the search space Evolutionary Algorithms Evolution Genetic

592 views • 37 slides
FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious

FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious

FUNCTIONALLY OBLIVIOUS (AND SUCCINCT) Edward Kmett BUILDING BETTER TOOLS Cache-Oblivious Algorithms Succinct Data Structures RAM MODEL Almost everything you do in Haskell assumes this model Good for ADTs, but not a realistic

673 views • 49 slides
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation?

431 views • 25 slides
1. Interconnector reliability should be considered probabilistically Zero probability of 100%

1. Interconnector reliability should be considered probabilistically Zero probability of 100%

1. Interconnector reliability should be considered probabilistically Zero probability of 100% probability of coincident stress coincident stress Real world derate IC provides security IC cannot provide IC based on to both countries

315 views • 5 slides
Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS

Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS

Funnel Heap - A Cache-Oblivious Priority Queue Gerth Stlting Brodal Rolf Fagerberg BRICS University of Aarhus Thirteenth International Symposium on Algorithms and Computation Vancouver, BC, Canada, November 22, 2002 1 Outline of talk

499 views • 24 slides
Values and Variables 1 / 19 Languages and Computation Every powerful language has three

Values and Variables 1 / 19 Languages and Computation Every powerful language has three

Values and Variables 1 / 19 Languages and Computation Every powerful language has three mechanisms for combining simple ideas to form more complex ideas:(SICP 1.1) primitive expressions, which represent the simplest entities the language is

537 views • 19 slides
Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

812 views • 33 slides
Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi {

Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi {

Oblivious Routing on Geometric Networks Costas Busch, Malik Magdon-Ismail and Jing Xi { buschc,magdon,xij2 } @cs.rpi.edu July 20, 2005. Outline Oblivious Routing: Background and Our Contribution The Algorithm: Oblivious Routing with Single

709 views • 50 slides
Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Yes, There is an Oblivious RAM Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich and Ostrovsky in 1996 Encrypts the memory access pattern of a random-access algorithm Oblivious RAM, Model

505 views • 32 slides
Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1

Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1

Non-Uniform Computation & Circuits Lecture 10 Wherein every language can be decided 1 Non-Uniform Computation 2 Non-Uniform Computation Uniform: Same program for all (the infinitely many) inputs 2 Non-Uniform Computation Uniform: Same

1.25k views • 105 slides
Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm Algorithm

Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm Algorithm

Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm Algorithm C program Java program gcc javac Object code Java bytecode linux java Execution Interpretation Can be executed on

963 views • 54 slides
Coping with the Memory Hierarchy the Cache-Oblivious Way Rolf Fagerberg University of Aarhus

Coping with the Memory Hierarchy the Cache-Oblivious Way Rolf Fagerberg University of Aarhus

Coping with the Memory Hierarchy the Cache-Oblivious Way Rolf Fagerberg University of Aarhus Imada, SDU, February 18, 2004 Overview The memory hierachy The I/O-model The cache-oblivious model Examples of cache-oblivious

1.23k views • 72 slides
A E Matthijs Westera Institute for Logic, Language and Computation University of Amsterdam

A E Matthijs Westera Institute for Logic, Language and Computation University of Amsterdam

Why semantics is the wastebasket A E Matthijs Westera Institute for Logic, Language and Computation University of Amsterdam Research Seminar in Logic and Language Tilburg, May 6th 2014 Outline Introduction Warming up: the implicature in

1.3k views • 110 slides
PanORAMa: Oblivious RAM with Logarithmic Overhead Sarvar Patel, Giuseppe Persiano, Mariana

PanORAMa: Oblivious RAM with Logarithmic Overhead Sarvar Patel, Giuseppe Persiano, Mariana

PanORAMa: Oblivious RAM with Logarithmic Overhead Sarvar Patel, Giuseppe Persiano, Mariana Raykova, Kevin Yeo Most frequently used file Bob knows what files I am accessing Bandwidth is expensive Retrieve the whole database Oblivious RAM

1.13k views • 85 slides
Music, Language and Computation Aline Honingh LoLaCo Guestlecture 2012 Outline Music at the

Music, Language and Computation Aline Honingh LoLaCo Guestlecture 2012 Outline Music at the

Music, Language and Computation Aline Honingh LoLaCo Guestlecture 2012 Outline Music at the ILLC Music and Language Music and Computation Overview of the field Research examples Music at the ILLC Henkjan Honing music

743 views • 38 slides
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .

1.02k views • 50 slides
Confluence and Convergence in Probabilistically Terminating Reduction Systems Maja H. Kirkeby

Confluence and Convergence in Probabilistically Terminating Reduction Systems Maja H. Kirkeby

Confluence and Convergence in Probabilistically Terminating Reduction Systems Maja H. Kirkeby Henning Christiansen Computer Science, Roskilde University, Denmark LOPSTR 2017 Namur, Belgium Maja H. Kirkeby, Henning Christiansen

524 views • 35 slides
A Cache-Oblivious Heap Introduced by Arge et al. [1]. Based on distribution of elements

A Cache-Oblivious Heap Introduced by Arge et al. [1]. Based on distribution of elements

A Cache-Oblivious Heap Introduced by Arge et al. [1]. Based on distribution of elements References [1] L. Arge, M. A. Bender, E. D. Demaine, B. Holland-Minkley, and J. I. Munro, Cache-oblivious priority queue and graph algorithm

520 views • 15 slides

More recommend