NDSS Symposium 2020 MACAO: A Maliciously-Secure and Client-Efficient Active ORAM Framework Thang Hoang † , Jorge Guajardo ‡ , Attila A. Yavuz † † CSE, University of South Florida hoangm@mail.usf.edu, attilaayavuz@usf.edu ‡ Robert Bosch LLC – RTC Jorge.GuajardoMerchan@us.bosch.com
Oblivious RAM § Oblivious Random Access Machine (ORAM) allows a client to hide the access pattern when accessing data stored on untrusted memory. Logical read Physical read/write ORAM Logical write ORAM applications: Cloud storage-as-a-service (personal data storage, health-record database, password management), searchable encryption, secure multiparty computation 2
Oblivious RAM – Timeline § ORAM was first introduced by Goldreich for software protection § Recent attempts focused on reducing ORAM communication overhead § Square-root § Partition ORAM (NDSS) § Path-PIR (NDSS) § Passive ORAM lower bound ORAM (STOC) ! log % comm. § Onion-ORAM (TCC) ! log % comm. (Crypto) !( %) comm. ! % client storage ! 1 comm. § Apon et al. (PKC) § 2-server ORAM (Asiacrypt) AHE § Tree-ORAM (AsiaCrypt) FHE ! % computation ! 1 client storage ! 1 comm. ! log ' % comm. 2017 1996 2013 2015 2019 1987 2011 2014 2016 2018 § Ring-Onion ORAM (CCS) ! 1 comm. ! log % client storage § Circuit-ORAM (CCS) § Hierarchical ORAM semi-honest security § Path-ORAM (CCS) ! log % comm. § S 3 ORAM (CCS) (JACM) ! log % comm. § C-ORAM (CCS) !(log * %) comm. ! 1 comm. ! + client storage Insecure ! 1 client storage § ORAM lower bound § Multi-cloud ObliviStore (CCS) § Bucket-ORAM semi-honest security (JACM) FHE ! % client storage 3 ! 1 comm.
Tree-ORAM Paradigm [SCSL11] § Binary tree data structure § Block data located somewhere in the tree path § Empty nodes are filled with dummy data General Access Protocol Server 1. Get pID of A: 1 2. Retrieve path of A 3. Update A (if needed) D F B 4. Randomly select new path for A: 4 5. Evict A C E 5 6 7 8 pID 1 2 3 4 Client Stash Position map Block A B C D E F A 4 pID 1 3 6 5 7 8 4
PIR-based ORAM: Malicious Security Concern § Due to unit vectors created in retrieval phase § Contain only one element 1, while others are 0 § Malicious adversary can tamper with the blocks 0 corresponding to elements “0” + § Computation result is still correct ➔ cannot be detected 0 × by client + § Learn real block positions 0 × § Access pattern leakage + 1 ! × 5
MACAO Framework § Based on (authenticated) additive secret sharing [DPSZ11] ! ! ∈ ) % is authenticated shared if each party * + has random values § ! + , - + , . + ∈ ) % s.t. ! = / ! + + Random global MAC key - = / - + + -! = / . + + § Authenticated share of ! is denoted as ! = ! , -! Any linear function of shared values can be computed locally ! & ∈ $ % ! " ∈ $ % § Given constants 0 " , 0 & and shared values ! , 1 s.t. ! = ! " + ! & 0 " ⋅ ! + 0 & ⋅ 1 = 0 " ! + 0 & 1 = 3 6
MACAO Framework Harness Circuit-ORAM eviction [WCS15] and p ermutation matrix [HOY+17] principles § 2(1) client bandwidth overhead § Bucket size & = 2 1 § Each eviction takes a block from the stash and writes it back to the tree Circuit-ORAM Eviction Principle: Stash S Only scan once from root to leaf § |4| = 2(log 8) D For each level, pick or drop (at most) 1 block § At any time, can only hold (at most) 1 block § & = 2 Create ( , + 1 ) permutation matrices ! " sized Z + 1 ×(Z + 1) s.t. B ! " [$, & + 1] = 1 : Pick the block at index $ § ! " [1, $] = 1 : Drop the holding block to index $ § C ! " 1, & + 1 = 1 : Move the holding block to next level ℎ + 1 § ! " [$ + 1, $] = 1 : Keep the block at index $ remain § A 7
MACAO Framework Two main schemes § ! "## § Replicated secret sharing (RSS) § 3-server setting with honest majority § ! #$%& § SPDZ secret sharing § General ℓ -server setting with dishonest majority 8
MACAO Framework - Π 344 scheme S0 Retrieval 0, … , 1, … , 0 '() Select query ! = § , 5 , ) ) , ! * + 1. XOR-PIR : a pair of PIR queries ! * per authenticated ()) ← ! 5 ()) ⊕ , 5 (+) ← ! ) (+) ⊕ , ) (+) ()) 6 5 6 ) 6 5 6 ) share , * ()) ← $ (+) ← ! ⊕ ! * ()) 0,1 '() , ! * ! * § S1 (+) (+) ! 5 ! ) ()) ()) ! ) ! 5 , ) , + ()) ← ! ) ()) ⊕ , ) + ← ! + (+) ⊕ , + ()) ⊕ 6 ) ()) + 6 ) 6 ) 6 + 7 ) ← 6 ) ()) ⊕ 6 5 + 7 5 ← 6 5 ()) ⊕ 6 + S2 + 7 + ← 6 + (8, 9) ← 7 5 + 7 ) + 7 + Check if ;8 =? 9 , + , 5 ) ← ! + ()) ⊕ , + (+) ← ! 5 (+) ⊕ , 5 (+) 6 + 6 5 6 5 9
MACAO Framework - Π 677 scheme , - Retrieval 0, … , 1, … , 0 '() Select query ! = § 8 - 8 ) 2. RSS-PIR : two RSS queries ! * , + *() per server , * = - = - ← ! - ⋅ 8 - + ! ) ⋅ 8 - + ! - ⋅ 8 ) '() ! - + ! ) + ! / = q , where ! * ← $ 3 4 § , ) ! - , ! ? ! - , ! ) , ! / ! - , ! ) ! ) , ! / 8 ) 8 / = ) ← ! ) ⋅ 8 ) + ! / ⋅ 8 ) + ! ) ⋅ 8 / = ) (:, <) ← = - + = ) + = / Check if 9: =? < , / 8 / 8 - = / ← ! / ⋅ 8 / + ! - ⋅ 8 / + ! / ⋅ 8 - = / 10
MACAO Framework - Π "## scheme RSSMatMult( , , . ) § 0 1 ← , 1 × . 1 + , 156 × . 1 + , 1 × . 156 1 , 8 196 1 , 8 196 1 1 7 1 sends 8 196 to 7 196 , 8 196 to § Eviction: based on RSS-based matrix multiplication protocol (1) ? 7 156 , where 0 1 = ∑ <=> 8 < (>) + 8 1 (6) + 8 1 (?) RSS-share of evicting block U and ( V + 1 ) RSS-shares of § Output: ,×. 1 ← 8 1 (>) + 8 156 (6) + 8 156 (?) permutation matrices T H ,×. 156 ← 8 156 MACCheck( F ) § G ← ∑ H ∑ 1 ∑ < I J F[L, M] H § O ← ∑ H ∑ 1 ∑ < I J PF[L, M] H T H > , T H 6 T H = T H > + T H 6 + T H ? T H > , T H ? T H 6 , T H ? U = U > + U 6 + U ? U > , U 6 U 6 , U ? U > , U ? § Pass if P ⋅ G =? O (Random linear combination) Jointly execute MACCheck( F H ) to verify eviction integrity 7 > 7 6 7 ? S F H ← RSSMatMult T H , F H F H : holding block and current blocks at level ℎ S PF H ← RSSMatMult T H , PF H 11
MACAO Framework - Π "#$% scheme Both retrieval and eviction are based on SPDZ-based authenticated matrix multiplication protocol de` Retrieval: Select query Y = 0 , … , 1 , … , 0 § SPDZMatMult( 0 , 2 ) Eviction: SPDZ-share of evicting block 7 and ( f + 1 ) § Initialization: Each 4 5 has 6 5 , 7 5 , 8 5 , authenticated SPDZ-shares of permutation matrices [ \ shares of Beaver triples ( 8 = 6×7 , ;8 = ;(6×7)) < 5 ← 0 5 − 6 5 , @ 5 ← 2 5 − 7 5 § Open < and @ § MACCheck < and MACCheck(@) § [ \ Z Output: 0×2 5 ← 8 5 + <× 7 5 + 6 5 ×@ + <×@ Y ℓ , 7 ℓ , [ \ ℓ , ;0×2 5 ← ;8 5 + <× 7 5 + 6 5 ×@ + ; 5 <×@ 7 Z , Y Z MACCheck(M, ;M ) Jointly execute MACCheck to § N ← ∑ 5 ∑ P Q R M[T, U] verify retrieval and eviction integrity § W ← ∑ 5 ∑ P Q R ;M[T, U] 4 Z 4 ^_` … § Pass if ; ⋅ N = W (Random linear combination) SPDZMatMult Y , M / SPDZMatMult [ \ , M \ 12
̂ ̂ ̂ ̂ ̂ ̂ MACAO Framework - Extension Bandwidth Reduction § Pseudo-random function (PRF) to generate additive shares locally [CDI05, DSZ14, RWTS+17] § + & + % ! # , . # S0 S1 S2 % # % & + # + % + & + % # & + & + # ! = ! # + ! % + ! & . = . # + . % + . & PIW to put a block PRF(+ % ) PRF(+ & ) Client Storage Reduction § Triplet Eviction Stash sized 0(log 4) was stored at the client (due to Circuit-ORAM eviction) § Bucket size = Two ways to reduce client stash storage § 0(log 4) 1. Store stash at the server-side, and use Private-Information Writing (PIW) to privately put the block into the stash 2. Triplet Eviction [SvDFR+16] Retrieval path Stash not needed in place of 0(log 4) bucket size) § 13
MACAO Framework – Performance (1/3) § MACAO schemes were 7 × faster than single-server ORAMs and up to 1.5 × slower than S 3 ORAM 1 . 2 40 Π prf Π prf Π rss Π spdz Π rss Π spdz rss rss Π prf Π prf Path-ORAM Ring-ORAM Path-ORAM Ring-ORAM 35 spdz spdz S 3 ORAM S 3 ORAM Circuit-ORAM Circuit-ORAM 1 30 Delay (sec) Delay (sec) 25 0 . 8 20 0 . 6 15 10 0 . 4 5 0 . 2 0 2 0 2 2 2 4 2 6 2 8 2 10 2 0 2 2 2 4 2 6 2 8 2 10 | DB | (GB) | DB | (GB) (a) Block size | b | = 4 KB (b) Block size | b | = 256 KB Fig. 13: End-to-end delay of MACAO schemes and their counterparts. Configuration: Library: NTL, tomcrypt, zeroMQ, pthread; Client: Macbook Pro 2018; Servers: Amazon EC2 c5.4xlarge, EBS-based storage; Client-server bandwidth: 29/5 Mbps; Inter-server bandwidth: 250/250 Mbps; DB Size: 1GB – 1TB; Block size: 4KB, 256KB 14
Recommend
More recommend