to securely compute f
play

to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an - PowerPoint PPT Presentation

Dec 27, 2022 •95 likes •742 views

Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : .

  1. Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 .

  2. B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm . . . . . .

  3. . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . .

  4. Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . .

  5. black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). .

  6. secure computation. . . Several parties wish to carry out an agreed-upon computation. ◮ Parties have individual inputs / output ◮ Security guarantees: ◮ Privacy (learn no more than your prescribed output) ◮ Input independence ◮ Output consistency, etc.. ◮ Parties are mutually distrusting, some possibly malicious .

  7. . BB . BB ? . trapdoor function . . secure protocol for evaluating f f . Protocol can be black-box in its usage of underlying primitives! [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . .

  8. BB . . BB ? Protocol can be black-box in its usage of underlying primitives! [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . trapdoor function . . secure protocol for evaluating f f . .

  9. BB ? . What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . . BB � trapdoor function . . secure protocol for evaluating f f . Protocol can be black-box in its usage of underlying primitives! ◮ [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] .

  10. black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . . BB � trapdoor function . . secure protocol for evaluating f f . . BB ? Protocol can be black-box in its usage of underlying primitives! ◮ [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): ◮ Express f as a circuit, and evaluate it gate-by-gate — non-black-box! .

  11. the model .

  12. If protocol uses trusted setup, then same setup for all f ! FBB secure evaluation of is trivial if: (protocol could “know” code of f ) is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) . . . . . .

  13. FBB secure evaluation of is trivial if: (protocol could “know” code of f ) is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) If protocol uses trusted setup, then same setup for all f ∈ C ! . . . . . .

  14. the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) If protocol uses trusted setup, then same setup for all f ∈ C ! . . . . . FBB secure evaluation of C is trivial if: ◮ |C| = 1 (protocol could “know” code of f ) ◮ C is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) .

  15. autoreducibility .

  16. . Basic Definition . . . L is autoreducible if there exists efficient M : 1. M L x L x 2. M doesn’t simply query its oracle on x . . . . . autoreducibility How much “structure” does a set/function L have? .

  17. autoreducibility How much “structure” does a set/function L have? . Basic Definition . . . L is autoreducible if there exists efficient M : 1. M L ( x ) = L ( x ) 2. M doesn’t simply query its oracle on x . . . . . .

  18. dlog g x : // find d such that g d x ord g . 1. Choose a n , where n g a 2. Output: dlog g x a (mod n) . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: .

  19. . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) .

  20. . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) .

  21. autoreducibility examples Discrete log problem in � g � is instance-hiding autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L ( x ) distributed independent of x . . . . . . .

  22. semi-honest adversaries .

  23. 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x Discussion: Same M must work for every f . Distinction between x and y . . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C . . . . . .

  24. Discussion: Same M must work for every f . Distinction between x and y . . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x . . . . . .

  25. . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x . . . . . Discussion: ◮ Same M must work for every f ∈ C . ◮ Distinction between x and y . .

Recommend

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely fixed to walls - Ensure that galvanized sheets are in good order & securely fastened - Seal spaces between roof & supports Secure windows

178 views • 3 slides
1 1 easy to compute , 1 easy to compute 2

1 1 easy to compute , 1 easy to compute 2

1 1 easy to compute , 1 easy to compute 2 easy to compute 2 easy to compute 2 unbiased biased estimator 3

609 views • 15 slides
Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and integrity/authenticity Both know each others public key Example: A->B: E Bob (M), S Alice (M) Works, but expensive Recall hybrid encryption

488 views • 16 slides
Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low

697 views • 30 slides
Multi Party secure communication C D A B E F N parties want to communicate securely with

Multi Party secure communication C D A B E F N parties want to communicate securely with

1 Key Establishment Chester Rebeiro IIT Madras 2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If U sends a message to V (U V and U,V {a,b,c,d,e,f})

721 views • 55 slides
MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech

MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech

MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech Compute MOTIVATION Why use multiple GPUs? Need to compute larger, e.g. bigger networks, car models, Need to compute faster, e.g. weather

1.28k views • 70 slides
AWS Hosted Services 2 Compute Cloud Compu2ng Spring

AWS Hosted Services 2 Compute Cloud Compu2ng Spring

Cloud Computing ECPE 276 AWS Hosted Services 2 Compute Cloud Compu2ng Spring 2016 3 Compute Options 1. Amazon Elas2c Compute Cloud

381 views • 37 slides
Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

297 views • 11 slides
Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram

Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram

Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018 Secure Two-Party Computation [Yao 86] Securely compute ( " , #

286 views • 24 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
Objectives Euclidean Algorithm to compute gcd (Greatest Common Divisor) to compute

Objectives Euclidean Algorithm to compute gcd (Greatest Common Divisor) to compute

More Number Theoretic Results Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Euclidean Algorithm to compute gcd (Greatest

151 views • 14 slides
Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus University, Denmark Multiparty Computation Goal: Compute circuit UC-securely Unlike previous talk: I Interested in d i complexity of protocol

462 views • 21 slides
OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open

OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open

OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open Compute Project History & Definition General Open Compute Server & Rack Overview Detailed Open Compute Compliant Rack Overview The

473 views • 19 slides
Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2 CEDRIC BOTH PAVLOS LONTORFOS JEROEN DO BOER 1 SECURITY AND NETWORK ENGINEERING The use of sensors Transportation Power grid networks

729 views • 24 slides
AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013

AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013 Chad Grant, Senior

659 views • 18 slides
Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP,

Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP,

Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP, ISSEP, ISSMP, CISA, PMP, SSE-CMM Team Chief, IRS Penetration Testing and Code Analysis Tuesday, March 18, 2014,11:05 -11:40 Three Types of Security

566 views • 31 slides
TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011

TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011

TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011 San Francisco, CA Tilo Mller Felix C. Freiling Andreas Dewald Department of Computer Science University of Erlangen Who we are Chair

504 views • 29 slides
OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets

OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets

OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets & accomplish work together online. John Studdard Managing Partner Big Couch Media Group Full service South Florida based Digital Agency To

314 views • 19 slides
Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic Number of Middleboxes

1.31k views • 44 slides
Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic Number of Middleboxes

572 views • 40 slides
Distributing Secrets Securely ? Presented by Simo Sorce Red Hat, Inc. Flock 2015 Historically

Distributing Secrets Securely ? Presented by Simo Sorce Red Hat, Inc. Flock 2015 Historically

Distributing Secrets Securely ? Presented by Simo Sorce Red Hat, Inc. Flock 2015 Historically Monolithic applications on single servers potentially hooked to a central authentication system. Idm Distributing Secrets ? Containers it's

557 views • 29 slides
Caribou: Intelligent Distributed Storage Zsolt Istvn, David Sidler, Gustavo Alonso Systems

Caribou: Intelligent Distributed Storage Zsolt Istvn, David Sidler, Gustavo Alonso Systems

Caribou: Intelligent Distributed Storage Zsolt Istvn, David Sidler, Gustavo Alonso Systems Group, Department of Computer Science, ETH Zurich 1 Rack-scale thinking ToR Switch Compute In the Cloud Compute Compute + Provisioning Compute +

167 views • 14 slides

More recommend