ECECS 498AM University of Illinois Problem Software piracy Oded Goldreich Existing solutions are adhoc What is the minimal protected hardware required Approach Physicallyshielded ie tamperproof CPU ID: 654861
Download Presentation The PPT/PDF document "Oblivious RAM Applied Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Oblivious RAM
Applied Cryptography
ECE/CS 498AM
University of IllinoisSlide2
Problem:
Software piracy
Oded Goldreich:Existing “solutions” are ad-hocWhat is the minimal protected hardware required?Approach:Physically-shielded (i.e., tamper-proof) CPUEncrypted programCPU: fetch, decrypt, executeRemark: RAM not protected!
Software Protection
2Slide3
Encrypted program
Specification oracle
: Given input returns output
and running time
.
Desideratum (informal):Software protection is secure if whatever a PPT adversary can do with access to the encrypted program she can do with access to a specification oracle
Software Protection: Security
3Slide4
How to achieve security?
Adversary has full control of main memory (RAM)
Must hide:Values stored in memoryCPU encrypts values with an IND-CPA schemeSequence of memory accessedCalled memory access patternAccess pattern should be independent of the programSoftware Protection
4Slide5
Client
Server
Oblivious RAM (ORAM)
5
CPU
RAM
Encrypted
Program
Capacity:
- word
- cell
- blockSlide6
Indistinguishability under chosen-plaintext attack (IND-CPA)
is really
for some
Suppose RAM is a large array
:
Return
:
Why this is used for ORAM:
Let
, and
Then:
and
are indistinguishable
Encryption and Oblivious RAM
6Slide7
Data request sequence:
: (logical) address / identifier of data item
: data or
if
Access pattern:
: sequence of accesses to the RAM / remote storage / server to satisfy request sequence
.
Typically construction dependent, e.g.,:
: actual address / identifier of block or cell
Oblivious RAM
7Slide8
Definition:
Let
denote the sequence of accesses to the server performed by the ORAM construction to satisfy the request sequence
. The ORAM construction is secure if:
Correctness:
The construction is correct, i.e., it returns data consistent with the request sequence with probability at least )
Obliviousness: For any two request sequences
with
, we have:
for anyone except the client
Oblivious RAM
8Slide9
9Slide10
Gen(
):
:
For
up to
:
If
==
:
ret =
If op is
:
Return
Naive Solution
10
: table of N blocks
Server
Works:
- Correct
- Oblivious
Overhead: O(N)
- Read the entire table for every accessSlide11
For each of
N
½ requests: Look for block in the shelterIf not found, get block from permuted memory, put it in shelterOtherwise access the next dummy blockAfter N½ requests:Reshuffle permuted memory, obliviously update with values in shelter
Oblivious RAM: Square Root Algorithm
11
Permuted memory
N blocks
N
½
dummy blocks
N
½
block shelter
- Correct
- Oblivious?
Overhead: O(
N
½
)Slide12
Oblivious Shuffling
12
Permuted memory
Source:
wikipedia
Use a sorting network:
Oblivious shuffling: sort based on a PRF
Sorted based on:
Cost:
Slide13
Claim (informally):
No ORAM construction with capacity
can satisfy all request sequences of length , unless it performs
accesses.
Balls and Bins game model:
Setup: balls in non-transparent cells; initially ball
in cell Player (CPU): at most
balls (registers) at each time, may be probabilisticRequest sequence:
such that each
denotes a request for a specific ball
Observer (adversary)
Game (player) actions:
Put ball in cell
Get ball from cell
Touch a cell, but do nothing
Lower Bound: Balls and Bins
13Slide14
Player produces action sequence:
Sequence of
actions:
: visible access pattern
: hidden actions
Valid action sequence must satisfy:
Correctness:
The action sequence must
satisfy
the request sequence
There is a sequence of indices
such that for every
, after action
ball
is in the player’s hand
Obliviousness:
Any
request sequence
must be satisfiable by:
So: it must be possible to satisfy
all
possible request sequences
Lower Bound: Balls and Bins
14Slide15
Proof:
At each step the player holds at most
ballsA fixed sequence of actions can satisfy at most request sequencesNumber of possible hidden action sequences:
Possible hidden actions:
get ball from cell (b registers)
put ball in celldo nothingBy obliviousness, it must be possible to satisfy all
with the same action sequence. So:
Lower Bound: Balls and Bins
15Slide16
16Slide17
Path ORAM
17
Stefanov
, Emil, et al. "Path ORAM: An Extremely Simple Oblivious RAM Protocol." ACM CCS 2013.
Stash
Server
Client
block
leaf
x
3
y
1
z
4
Position map
Bucket (capacity
blocks)
leaves
Height:
Slide18
Path ORAM
18
Stefanov
, Emil, et al. "Path ORAM: An Extremely Simple Oblivious RAM Protocol." ACM CCS 2013.
Stash
Server
Client
block
leaf
x
3
y
1
z
4
Position map
Invariant:
Each block is mapped to a uniformly random leaf
A block is either in the stash or somewhere down the path to its leafSlide19
Path ORAM: Example
19
Stash
Server
Client
block
leaf
x
3
y
1
z
4
w
3
Position map
Invariant:
Each block is mapped to a uniformly random leaf
A block is either in the stash or somewhere down the path to its leaf
1
2
3
4
Request:
Slide20
Path ORAM: Example
20
Stash
Server
Client
block
leaf
x
3
y
1
z
4
w
3
Position map
Invariant:
Each block is mapped to a uniformly random leaf
A block is either in the stash or somewhere down the path to its leaf
1
2
3
4
Request:
4Slide21
Path ORAM: Pseudocode
21
Stash
block
leaf
Position map
N: # of blocks; L: height of tree; Z: size of buckets; P(
x,l
) bucket at level l along path to leaf x from root; S: stash; position: position mapSlide22
Bandwidth overhead:
Per request:
blocks read +
blocks written
Storage
Server:
blocksClient: position map + stashWhat if the stash overflows?Probability is negligible in
if stash is of size
Position map size:
bits
Solution: use recursion:
If blocks are large (e.g.,
bits) => same bandwidth overhead
Otherwise: additional
factor for bandwidth overhead
Path ORAM
22Slide23
Obliviousness:
Server sees
which is a sequence
is the position of address
based on the position map, together with a sequence of encrypted paths
Proof:
For
:
is statistically independent of
Observe that:
If
: Once
is revealed, it is remapped to a new random label
If
: positions of different addresses are independent
Therefore:
Path ORAM
23Slide24
24Slide25
Three main applications:
Cloud Storage
Secure ProcessorsSecure Multi-party Computation (SMC)Current best:
overhead, i.e., 20-40 X in practice
Server can perform computations:
overheadHomomorphic encryption; still slower in many cases
Oblivious RAM Today
25Slide26
[G87] Oded
Goldreich. "Towards a theory of software protection and simulation by oblivious RAMs." ACM STOC 1987.[GO96] Goldreich, and Ostrovsky. "Software protection and simulation on oblivious RAMs." Journal of the ACM (JACM) 1996.[SVSFRYD13] Emil Stefanov, Marten Van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas
. "Path ORAM: an extremely simple oblivious RAM protocol." ACM CCS 2013.References
26