1 / 27

Outsourcing Private RAM Computation

Outsourcing Private RAM Computation. Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi , Mariana Raykova. Problem Overview. Weak client wants to leverage resources of a powerful server to compute without revealing . Efficiency Requirements:

freya-patrick
Download Presentation

Outsourcing Private RAM Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, ShaiHalevi, Mariana Raykova

  2. Problem Overview • Weak client wants to leverage resources of a powerful server to compute without revealing . • Efficiency Requirements: • Client does much less work than computing • Server does about as much work as computing … Server Client

  3. Use FHE! Done? • Private outsourcing is possible using Fully Homomorphic Encryption (FHE). [RAD78,Gen09,…] • But FHE works over circuits rather than RAM programs. I’m very efficient!

  4. Circuits vs. RAM • Private outsourcing is possible using Fully Homomorphic Encryption (FHE). [RAD78,Gen09,…] • But FHE works over circuitsrather than RAM programs. • RAM complexity circuit or TM complexity • For programs with initial “data in memory”, efficiency gap can be exponential (e.g., Google search).

  5. Goals • Client’s work: • Server’s work: (RAM run-time of P). • May allow client pre-processingof P. • Client does one-time computation in O(RAM run-time of P). • Later, outsource many executions of P. Amortized efficiency. … Server Client

  6. Goals • Basic scenario: client wants to run independent executions of on inputs , , • Persistent Memory Data: • Client initially outsources large private ‘memory data’ D. • Program executions can read/write to D. … Server Client

  7. Goals • Non-interactive solution: “reusable garbled RAM”. Server Client

  8. Garbled Computation Persistent Memory Data: Garble Data: Can execute many programs with read/write access to data. Reusable Garbled Circuits [GKPVZ 13a,b] Garbled Circuits [Yao82] Can garble many inputs per circuit. • Garble circuit: • Garble input: • Given only reveals • Secure on one input . Efficiently outsource circuit comp. Extension to TM. Reusable Garbled RAM This Talk! Garbled RAM [LO13, GHLORW14] Garble RAM: Garble input: Size of , run-time is O(RAM run-time ). • Can garble many inputs per program. • Efficiently outsource RAM comp.

  9. Main Results 1-timeGarbledRAM + ReusableGarbled RAM ReusableGarbled Circuits New security/efficiency requirements. Instantiate with iO or Functional Rnc.

  10. Main Result with persistent data 1-timeGarbledRAM with persistent data + ReusableGarbled RAM with persistent data ReusableGarbled Circuits Stronger security requirements. Instantiate with “strong diO” (heuristic obf)

  11. Without Persistent Data

  12. 1-Time Garbled RAM Definition without persistent data View can be simulated given y Server • O(run-time) GProg GInput, ) • O(|x|,|y|) Client secret: k Eval, ) • O(run-time)

  13. Reusable Garbled RAM Definition without persistent data View can be simulated given Server GProg {GInput, ) : i=1,…} Client secret: k Eval, )

  14. Construct reusablegarbled RAMby combining: • one-time garbled RAM (GProg1, GInput1, GEval1) • reusable garbled circuits Reusable Gprog reusable circuit-garbling of Reusable Ginput Choose fresh one-time key garble input for , { GProg1; ) GInput1, ) } • Size of = (RAM run-time of ) • |input| = O(|x|) • |output| = (RAM run-time of )

  15. Construct reusablegarbled RAMby combining: • one-time garbled RAM (GProg1, GInput1, GEval1) • reusable garbled circuits Problem: In reusable garbled circuits of [GKPVZ13], size of garbled input always exceeds size of circuit output. Unfortunately: This is inherent. Cannot do better if want simulation security. , { GProg1; ) GInput1,) } • Size of = (RAM run-time of ) • |input| = O(|x|) • |output| = (RAM run-time of )

  16. Construct reusablegarbled RAMby combining: • one-time garbled RAM (GProg1, GInput1, GEval1) • reusable garbled circuits • Solution: • Show that we do not need simulation-security for reusable garbled-circuits. A weaker notion suffices. • Construct reusable garbled-circuits with weaker security notion but better efficiency needed in construction.

  17. Distributional Indistinguishability • Aweaker security notion for garbled circuits. Circuit and independent input distributions : • Ifsatisfy • Then • Can get huge output, small garbled input. • Follows from indistinguishability obfuscation, or functional encryption for circuits.

  18. , , • “Real-or-Dummy” program (flag,x,y) { if flag=1 // real output P(x) else //dummy output y } • User: garbles inputs (u=(flag=1, , ) • Simulator: garbles inputs ( u=(flag=0,, ) • { • GProg1; ) • GInput1,) • } (u=(flag,

  19. With Persistent Memory

  20. 1-time Garbled RAM Definition with persistent data View can be simulated given GData • O(|D|) Server • O(run-time) GProg GInput, ) Client secret: k Eva, ) • O(run-time)

  21. Reusable Garbled RAM Definition with persistent data View can be simulated given GData Server GProg GInput, ) Client secret: k Eva, )

  22. , , • Use 1-time G-RAM to garble data: GData1(D,k) • Crucial difference: • Before: fresh key k each time. • Now: same key k, index . • Inputs aren’t independent! • Cannot rely on “dis. ind” security of reusable garbled circuits. • { • GProg1,,) • GInput1,,) • } (u=(flag,

  23. Correlated Distributional Indistinguishability • Circuit and “correlated” input distributions : • If[ • Then • Follows from “strong differing-inputs obf.” (heuristic). • Can garble circuits with huge output, small garbled input.

  24. Theorem: Get reusable garbled RAM where: • Garble, evaluate program: O(RAM run-time P). • Garble input = O( input + output size). assuming “ind. obfuscation” + stat. sound NIZK. • Theorem: Get reusable garbled RAM with persistent memory where: • garble data = O( data size) • garble program = O( description size P ) • garble input = O( input + output size) • evaluate = O( RAM run-time P) assuming “strong differing-inputs obfuscation” (heuristic).

  25. Outsourcing via Reusable G-RAM • Client garbles program • Pre-processing = run-time • Client repeatedly garbles inputs . • Server evaluates on to get . • Evaluation time = run-time ) Server Client [ data ]. [ using ]

  26. Outsourcing via Reusable G-RAM • Client learns . Server sends it back (+1 round = optimal). • Output privacy: set = encryption of real output. Server sends back . • Verifiability: includes (one-time) MAC of real output. Server Client

  27. Thank You! Don’t turn me into a circuit!

More Related