leakage in the cell probe model lower bounds for response
play

Leakage in the Cell Probe Model Lower Bounds for Response Hiding - PowerPoint PPT Presentation

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe Persiano Universit` a di Salerno June, 2019 Describing joint work with: Sarvar Patel and Kevin Yeo (Google LLC) Giuseppe Persiano (UNISA) June


  1. Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe Persiano Universit` a di Salerno June, 2019 Describing joint work with: Sarvar Patel and Kevin Yeo (Google LLC) Giuseppe Persiano (UNISA) June 2019 1 / 27

  2. The Model Cell Probe Model for a Data Structure [Yao] Memory is a sequence of cells each of w bits Accessing (reading/writing) a cell cost 1 All computation is for free Classical model used to derive lower bounds for Data Structures Giuseppe Persiano (UNISA) June 2019 2 / 27

  3. The Oblivious Model Oblivious Cell Probe Model [Larsen+Nielsen ’18] In a Client-Server setting Client outsources storage of the DS to an honest-but-curios server Client performs DS operations O = ( op 1 , . . . , op l ) by accessing the Server memory ◮ client can read and write any cell in Server memory ◮ each cell is w -bit wide Client has limited private local memory Server observes the access pattern and the data downloaded � � ◮ view DS ( O ) = view DS ( op 1 ) , . . . , view DS ( op l ) Passive server: performs no computation Operations are performed online Giuseppe Persiano (UNISA) June 2019 3 / 27

  4. Security Notion Definition DS is Oblivious, if for every PPT machine A and any two sequences O and O ′ of the same length � ≤ 1 � �� � � � A (view DS ( O )) = 1 A (view DS ( O ′ )) = 1 � Prob − Prob 4 . � � Giuseppe Persiano (UNISA) June 2019 4 / 27

  5. The array maintenance problem (a.k.a. ORAM) Two operations to maintain an n -slot array A Read( i ) returns the current value stored in A [ i ] Write( i , x ) sets A [ i ] := x Giuseppe Persiano (UNISA) June 2019 5 / 27

  6. The array maintenance problem (a.k.a. ORAM) Two operations to maintain an n -slot array A Read( i ) returns the current value stored in A [ i ] Write( i , x ) sets A [ i ] := x Theorem (Larsen+Nielsen ’18) Expected amortized running time of an ORAM with n b-bit slots is � b w · log nb � Ω c where c is the client memory in bits. Giuseppe Persiano (UNISA) June 2019 5 / 27

  7. The array maintenance problem (a.k.a. ORAM) Two operations to maintain an n -slot array A Read( i ) returns the current value stored in A [ i ] Write( i , x ) sets A [ i ] := x Theorem (Larsen+Nielsen ’18) Expected amortized running time of an ORAM with n b-bit slots is � b w · log nb � Ω c where c is the client memory in bits. Online Read and Write operations with Passive Server Giuseppe Persiano (UNISA) June 2019 5 / 27

  8. Proof strategy for ORAM lower bound [Larsen+Nielsen] The Information Transfer Technique [Pˇ atra¸ scu+Demaine] assign probes to nodes of the Information Tree ◮ each probe to at most one node show that for most nodes v there exists a hard distribution HD v on sequences of operations of the same length that assign lots of probes to v ◮ coding argument leveraging on randomness of the entries of the array invoke obliviousness to show that for each such distribution all nodes must be assigned the same high number of probes Giuseppe Persiano (UNISA) June 2019 6 / 27

  9. Obliviousness very strong requirement it hides the type of operation it hides the parameters of the operations ◮ the content of the array (for Write) ◮ the slot of the operation (for Read and Write) only number of operations is leaked Giuseppe Persiano (UNISA) June 2019 7 / 27

  10. Obliviousness very strong requirement it hides the type of operation it hides the parameters of the operations ◮ the content of the array (for Write) ◮ the slot of the operation (for Read and Write) only number of operations is leaked In several applications more information is leaked for the sake of efficiency Giuseppe Persiano (UNISA) June 2019 7 / 27

  11. Differential Privacy Definition DS is ( ǫ, δ )-DP, if for every PPT machine A and any two sequences O and O ′ of the same length that differ for exactly one operation � � ≤ e ǫ · Prob � � A (view eMM ( O )) = 1 A (view eMM ( O ′ )) = 1 Prob + δ Giuseppe Persiano (UNISA) June 2019 8 / 27

  12. The Differentially Private RAM Theorem (P+Yeo ’19) For every ǫ > 0 and δ ≤ 1 / 3 , the expected amortized running time of a Differentially Private RAM with n b-bit slots is � b � w · log nb Ω c where c is the client memory in bits. Giuseppe Persiano (UNISA) June 2019 9 / 27

  13. The Differentially Private RAM Theorem (P+Yeo ’19) For every ǫ > 0 and δ ≤ 1 / 3 , the expected amortized running time of a Differentially Private RAM with n b-bit slots is � b � w · log nb Ω c where c is the client memory in bits. Different proof technique Giuseppe Persiano (UNISA) June 2019 9 / 27

  14. Leakage Cell Probe Model A sequence of operations O = ( op 1 , op 2 , . . . , op l ) is associated with leakage L ( O ) L ( O ) = ( L ( op 1 ) , . . . , L ( op l )) Giuseppe Persiano (UNISA) June 2019 10 / 27

  15. Leakage Cell Probe Model A sequence of operations O = ( op 1 , op 2 , . . . , op l ) is associated with leakage L ( O ) L ( O ) = ( L ( op 1 ) , . . . , L ( op l )) Definition DS is Non-Adaptively L -INDSecure, if for every PPT machine A and any two sequences O and O ′ such that L ( O ) = L ( O ′ ), � ≤ 1 � � � � �� A (view DS ( O )) = 1 A (view DS ( O ′ )) = 1 � Prob − Prob 4 . � � Giuseppe Persiano (UNISA) June 2019 10 / 27

  16. Leakage Cell Probe Model A sequence of operations O = ( op 1 , op 2 , . . . , op l ) is associated with leakage L ( O ) L ( O ) = ( L ( op 1 ) , . . . , L ( op l )) Definition DS is Non-Adaptively L -INDSecure, if for every PPT machine A and any two sequences O and O ′ such that L ( O ) = L ( O ′ ), � ≤ 1 � � � � �� A (view DS ( O )) = 1 A (view DS ( O ′ )) = 1 � Prob − Prob 4 . � � Oblivious considers leakage L ( O ) = l Giuseppe Persiano (UNISA) June 2019 10 / 27

  17. Multi-Maps (MM) Multi-Maps A data structure to maintain a collection of pairs ( key ,� v ), where � v = ( v 1 , . . . , v l ) is a tuple 1 Add( key , v ): adds v to the tuple associated with key 2 Get( key ): returns the tuple associated with key Giuseppe Persiano (UNISA) June 2019 11 / 27

  18. Multi-Maps (MM) Multi-Maps A data structure to maintain a collection of pairs ( key ,� v ), where � v = ( v 1 , . . . , v l ) is a tuple 1 Add( key , v ): adds v to the tuple associated with key 2 Get( key ): returns the tuple associated with key A special case of Structured Encryption [Chase-Kamara] Giuseppe Persiano (UNISA) June 2019 11 / 27

  19. Multi-Maps (MM) Multi-Maps A data structure to maintain a collection of pairs ( key ,� v ), where � v = ( v 1 , . . . , v l ) is a tuple 1 Add( key , v ): adds v to the tuple associated with key 2 Get( key ): returns the tuple associated with key A special case of Structured Encryption [Chase-Kamara] A generalization of ORAM: Giuseppe Persiano (UNISA) June 2019 11 / 27

  20. Multi-Maps (MM) Multi-Maps A data structure to maintain a collection of pairs ( key ,� v ), where � v = ( v 1 , . . . , v l ) is a tuple 1 Add( key , v ): adds v to the tuple associated with key 2 Get( key ): returns the tuple associated with key A special case of Structured Encryption [Chase-Kamara] A generalization of ORAM: ◮ ORAM is a MM with all tuples of length 1; Giuseppe Persiano (UNISA) June 2019 11 / 27

  21. How expensive are EMM? Giuseppe Persiano (UNISA) June 2019 12 / 27

  22. How expensive are EMM? It depends on the leakage function Giuseppe Persiano (UNISA) June 2019 12 / 27

  23. How expensive are EMM? It depends on the leakage function If no security is sought: � log log n � O log log log n [Beame and Fich ’99] Giuseppe Persiano (UNISA) June 2019 12 / 27

  24. How expensive are EMM? It depends on the leakage function If no security is sought: � log log n � O log log log n [Beame and Fich ’99] If only number of operations is leaked O (log n ) Use ORAM [Folklore] Giuseppe Persiano (UNISA) June 2019 12 / 27

  25. How expensive are EMM? It depends on the leakage function If no security is sought: � log log n � O log log log n [Beame and Fich ’99] If only number of operations is leaked O (log n ) Use ORAM [Folklore] What if we only want to hide the response of the operations? Giuseppe Persiano (UNISA) June 2019 12 / 27

  26. How expensive are EMM? It depends on the leakage function If no security is sought: � log log n � O log log log n [Beame and Fich ’99] If only number of operations is leaked O (log n ) Use ORAM [Folklore] What if we only want to hide the response of the operations? What is the cost of the Response-Hiding EMM? Giuseppe Persiano (UNISA) June 2019 12 / 27

  27. Response-Hiding Leakage Function – I Definition (Leakage function L G for O = ( op 1 , . . . , op l )) L G ( O i ) is defined as follows: 1 if op i = Get( key i ) then L G ( O i ) = � MM O i − 1 , key i �� � � �� Get , key i , � Get ; the key queried and the size of the response are leaked 2 if op i = Add( key i , v i ) then L G ( O i ) = Add , aep i � � the add pattern is leaked the type of operation is also leaked add equality pattern aep i := (aep i 1 , . . . , aep i i − 1 ) and aep i j is defined as follows, for j = 1 , . . . , i − 1  ⊥ , if op j is a Get operation;   aep i j = 0 , if op j is an Add operation and key j � = key i ;  1 , if op j is an Add operation and key j = key i ;  Giuseppe Persiano (UNISA) June 2019 13 / 27

Recommend


More recommend