Secure Computation ORAM The Case of 3-Party Computation Stanislaw - PowerPoint PPT Presentation

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016 AC’15: Sky Faber, S.J. , Sotirios Kentros, Boyang Wei New Work: S.J. , Boyang Wei

Secure Computation of (O)RAM Access (SC-ORAM) SC-ORAM = Sec.Comp of F ORAM : sharing of D,x ⟶ sharing of D[x] D 1 D 2 D n ss x 1 x 2 ..... x n ⟷ x F ORAM ss s 1 s 2 ..... s n D[x] ⟷ ( for <write>: additional shared input v and D ⟶ D’ s.t. D’[x]=v )

Secure Computation of (O)RAM Access (SC-ORAM) Application: n-Server Private Database (  n-Server SPIR) SC-ORAM = Sec.Comp of F ORAM : sharing of D,x ⟶ sharing of D[x] Client D 1 D 2 D n ss x 1 x 2 ..... x n ⟵ x F ORAM ss s 1 s 2 ..... s n s = D[x] ⟶

Secure Computation of (O)RAM Access (SC-ORAM) Application: Sec. Comp. of RAM Program [OS’97,DMN’11,GKKKMRV’12] SC-ORAM = Sec.Comp of F ORAM : sharing of D,x ⟶ sharing of D[x] P 1 P 2 ..... P n F RAM-PROGRAM var stack Instr 1,2,... x,y,z ,... ,v secret- read(x) or write(x,v) shared each instruction computed by values standard MPC (Yao, BGW, ...) F ORAM v=D(x) D 2 Sec. Comp. of RAM programs with polylog(|D|) overhead

Generic SC-ORAM Construction [OS’97,GKKKMRV’12] ORAM Scheme + Secure Comp. of Client’s Code ⟶ SC-ORAM ORAM: MK 1 , x 1 MK 2 , x 2 Enc MK (D; r) P 1 P 2 SC-ORAM: [2PC] Client 1 Client 2 Server v 1 v 2 D[x]=v 1 ⨁ v 2

Generic SC-ORAM Construction [OS’97,GKKKMRV’12] ORAM Scheme + Secure Comp. of Client’s Code MK 1 , x 1 MK 2 , x 2 Enc MK (D; r) P 1 P 2 [2PC] Client 1 Client 2 Server v 1 v 2 For efficient MPC of RAM programs D[x] = v 1 ⨁ v 2 we need ORAM whose Client is “Secure - Computation Friendly” [GKKKMRV’12a]: GO’96 ORAM + Yao + PK -based SS-OPRF gadget [GKKKMRV’12b]: Path - ORAM [Shi+’11] + Yao [WHCSS’14]: Path-ORAM modified + Yao ⇒ smaller circuits

Our Question: Could SC-ORAM be faster given 3 players with honest majority? 3 Parties = 2 Parties with correlated randomness Example: Oblivious Transfer with Precomputation [Bea’95] z 0 , z 1 : random strings : random bit c P 3 z c , c z 0 , z 1 π = b ⨁ c P 1 P 2 m 0 , m 1 bit b m 0 ⨁ z π , m 1 ⨁ z  π 2 Parties: OT needs PK crypto ops [IR’89] 3 Parties: OT costs 4 xor’s

SC for Path-ORAM [Shi+’11] Path-ORAM Access: Recursive Tree+Array Lookup Split address space of m bits, h chunks of τ =m/h bits N = [N 1 | N 2 | ... |N h ] T i is a binary tree of depth d i =i· τ , tree nodes are buckets of size w ORAM = (T 0 ,T 1 ,T 2 ,...,T h ) T 1 T 0 ... T h T 2 L 1 and so on... L 2 Server retrieve Client & decrypt d i ·w ... ... N 1 L 1 N 1 N 1 |N 2 N 3 N 2 L 3 L 2

SC for Path-ORAM [Shi+’11] Path-ORAM Access: Recursive Tree+Array Lookup Split address space of m bits, h chunks of τ =m/h bits N = [N 1 | N 2 | ... |N h ] T i is a binary tree of depth d i =i· τ , tree nodes are buckets of size w ORAM = (T 0 ,T 1 ,T 2 ,...,T h ) set w =O( 𝑛 ) [or O( 𝑛 )] Client’s code is a sequence of array or dictionary list look-ups... T 1 T 0 ... T h T 2 L 1 and so on... L 2 Server Client d i ·w ... ... N 1 L 1 N 1 N 1 |N 2 N 3 N 2 L 3 L 2

SC for Path-ORAM [Shi+’11] The other half: Path-ORAM Eviction T 1 T 0 ... T h T 2 2 τ L 1 and so on... L 2 Server Client w ... ... N 1 L 1 N 3 L 3 N 2 L 2 N 1 |N 2 N 1 Eviction: 1) put the (modified) retrieved entry on top 2) move all* entries down towards their targets labels SC-ORAM: To reduce circuit size, use constrained eviction strategy

SC for Tree-ORAM Three Steps Access: Retrieve data assoc. with searched-for address N (C A ) SS[ X , N ]  d s.t. (N,d)  X Eviction.1: Compute movement logic , T : [n]  [n] (C T ) SS[ X |N ]  SS[ T ] Eviction.2: Permute path X according to T (C M ) SS[ X , T ]  SS[ T(X) ] s.t. T(X) = X T(1) ,…,X T(n) 2PC-ORAM costs: online, passive adv (last tree, w/o small constants) bndw: |X|  k comp: |C A |+|C T |+|C M | ciphers (+ k OT’s) X = (X 1 ,…, X n ) : tree path k: sec.par.

3PC for Tree-ORAM Access Step: SS[ X , N ]  d s.t. (N,d)  X Client’s code is a sequence of array look -ups... 3PC idea: ⦁ secret-share all data (T i ’s and N) between P 1 & P 2 send matching entry to P 3 via Conditional SS-OT • P 1 P 2 N 1 d 1 N 1 *, N 2 *, N *, ... ... ... ... ... ... N i d i N i 1 d i N i 2 d i 1 2 ... ... ... ... ... ... N n d n d i 1 ⨁ d i for i s.t. 2 P 3 * = N i N i 1 ⨁ N 1 2 ⨁ N 2 *

3PC for Tree-ORAM Access Step: SS[ X , N ]  d s.t. (N,d)  X k: sec.par. = String Equality Problem: n: # tuples in path D: record size 2PC, Yao’s GC: knD bndw (+k exp’s ) m: address size 2PC, arith.circ.: bndw--, rounds++ P 1 P 2 2PC, DH-KE: n exp’s 3PC: Conditional Disclosure of Secrets N 1 *, N 2 *, ... ... ... ... [GIKM00], IT: 4nD bndw [AC’15], crypt: 2n( m+D) bndw N i a i 1 d i N i b i 2 d i  2x plain Client-Server ORAM 1 2 3PC, 2-PIR: +1 round, 2nm+  nD bnds ... ... ... ... d i 1 ⨁ d i for i 2 P 3 s.t. a i = b i

3PC for Tree-ORAM Problem: P 3 learns position i where the a i = b i match occurs… 3PC Tool: Conditional OT on Shared Inputs 3PC sol.: P 1 & P 2 shift their input lists by (the same) random offset P 3 can learn a pointer into the shifted list (= random in [n]) P 1 P 2 P 1 & P 2 hold same PRF key k [ 𝐵 𝑗 , 𝐷 𝑗 ] = [ 𝐶 𝑗 , 𝐸 𝑗 ] = ... ... ... ... 𝑙 𝑏 𝑗 𝑙 𝑐 𝑗 𝑄𝑆𝐺 𝑄𝑆𝐺 a i d i b i d i 1 2 ... ... ... ... { [ 𝐵 𝑗 , 𝑒 𝑗1 ⨁𝐷 𝑗 ] } 𝑗 { [ 𝐶 𝑗 , 𝑒 𝑗 2 ⨁𝐸 𝑗 ] } 𝑗 d i 1 ⨁ d i for i 2 P 3 s.t. a i = b i

Path-ORAM : from 2PC to 3PC Access Step via CDS a.k.a. SS-COT Access (C A ): SS[ X , N ]  d s.t. (N,d)  X Ev.1 (C T ): SS[ X |N ]  SS[ T ] Ev.2 (C M ): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = X T(1) ,…,X T(n) 2PC-ORAM 3PC-ORAM Acc: bndw: |X|  k + ciph: |C A | + OT’s bndw: |X| Ev.1: ciph: |C T | ? Ev.2: ciph: |C M | ? 100x cheaper access • X = (X 1 ,…, X n ) : tree path Benefits: • k : sec.par. response time (eviction in background) • access inherently sequential • batch access with postponed eviction •

3PC for Tree-ORAM Eviction Steps Ev.1 (C T ): SS[ X |N ]  SS[ T ] Ev.2 (C M ): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = X T(1) ,…,X T(n) 3PC idea: Use Yao for C T , but make transition table T “uniform” s.t.: Ev.1: If P 1 and P 2 locally permute secret-shared list X then P 3 can learn T in the clear Ev.2: SS[ X, T ]  SS[ T(x) ] is a simple variant of OT SS[X] 1 message flow • P 1 P 2 bndw: 4|X| • no crypto ops • SS[ T(X)] Uniform Transition Table T [AC’15]: T moves 2 items from node i to i+1 • P 1 & P 2 shuffle each bucket • P 3 (T) P 3 learns 2 first movable/empty • items after 2 random shifts

Path-ORAM : from 2PC to 3PC k=128, m=32 2PC:  k=512 for  =4 Access (SS-COT), Ev.1 (Yao), Ev.2 (SS-OT)  D = 16B  τ = 2  16 rounds Access (C A ): SS[ X , N ]  d s.t. (N,d)  X 3PC:  +k=384 for  =256 Ev.1 (C T ): SS[ X |N ]  SS[ T ]  D = 1KB Ev.2 (C M ): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = X T(1) ,…,X T(n)  τ = 8  4 rounds 2PC-ORAM 3PC-ORAM Acc: bndw: |X|  k + ciph: |C A | +OT’s bndw: |X| Ev.1: ciph: |C T | ciph : |C T | + bndw: nm  k Ev.2: ciph: |C M | bndw: |X| m 2 w  (  +k) bndw: |X|k = n(m+|d|)k ≈ m 2 w   k m 2 w   CT ciph: m 2 w  (  +  CT +  CM ) +OT’s X = (X 1 ,…, X n ) : tree path X i = (addr.,data) k : sec.par. n = m  w m : address size w : bucket width  = max(2 τ ,D/m) τ : addr. chunk size D : record size |d| ≈ m   CT ,  CM : circ.comp. of C T ,C M (=circuit size / input length)

Path-ORAM : from 2PC to 3PC Access (SS-COT), Ev.1 (Yao), Ev.2 (SS-OT) 2PC-ORAM 3PC-ORAM Acc: bndw: |X|  k + ciph: |C A | +OT’s bndw: |X| Ev.1: ciph: |C T | ciph : |C T | + bndw: nm  k Ev.2: ciph: |C M | bndw: |X| m 2 w  (  +k) bndw: |X|k = n(m+|d|)k ≈ m 2 w   k m 2 w   CT ciph: m 2 w  (  +  CT +  CM ) AC’15: 3PC with simplistic eviction: very low  CT , w=O(m+k ) ≈100 WCS’15: “Circuit - ORAM”: 2PC, greedy eviction, higher  CT , w=3,  CM =2 New work: 2PC with same eviction as in Circuit-ORAM, slightly higher  CT X = (X 1 ,…, X n ) : tree path X i = (addr.,data) k : sec.par. n = m  w m : address size w : bucket width  = max(2 τ ,D/m) τ : addr. chunk size D : record size |d| ≈ m   CT ,  CM : circ.comp. of C T ,C M (=circuit size / input length)

Circuit-ORAM Eviction [WCS’15] From 2PC to 3PC : Making Transition Table T Uniform Making it Uniform: Circuit ORAM Eviction: 1. Fill-in jumps so T is a cycle 2. Reveal (  T)(i) instead of T(i) for $  greedy: “deepest goes first” permute outside Garb.Circ. • +2 rounds for (de-)mask/permute • 0 0 3 1 1 6 2 2 4 3 3 1 Randomly Permute 4 4 7 5 5 0 6 6 5 7 7 8 8 8 2