Daniel Wichs Northeastern University with Craig Gentry Shai Halevi Mariana Raykova Problem Overview Weak client wants to leverage resources of a powerful server to compute without revealing ID: 687223
Download Presentation The PPT/PDF document "Outsourcing Private RAM Computation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Outsourcing Private RAM Computation
Daniel
Wichs
Northeastern University
with: Craig Gentry,
Shai
Halevi
, Mariana
RaykovaSlide2
Problem Overview
Weak client wants to leverage resources of a powerful server to compute
without revealing
.Efficiency Requirements:Client does much less work than computing Server does about as much work as computing
Client
Server
…Slide3
Private outsourcing is possible using Fully Homomorphic
Encryption (FHE).
[RAD78,Gen09,…]
But FHE works over circuits rather than RAM programs.I’m very efficient!Use FHE! Done?Slide4
Private outsourcing is possible using Fully
Homomorphic
Encryption (FHE).
[RAD78,Gen09,…] But FHE works over circuits rather than RAM programs. RAM complexity circuit or TM complexity For programs with initial “data in memory”, efficiency gap can be exponential (e.g., Google search).
Circuits vs. RAMSlide5
Goals
Client’s
work
: Server’s work: (RAM run-time of P).May allow client pre-processing of P.Client does one-time computation in O(RAM run-time of P). Later, outsource many executions of P. Amortized efficiency.
Client
Server
…Slide6
Goals
Basic scenario:
client wants to run independent executions of
on inputs , , Persistent Memory Data: Client initially outsources large private ‘memory data’ D. Program executions
can read/write to D.
Client
Server
…Slide7
Goals
Non-interactive solution: “reusable garbled RAM”.
Client
ServerSlide8
Garbled Computation
Garbled Circuits
[Yao82]
Garble circuit: Garble input: Given
only reveals Secure on one input . Reusable Garbled Circuits
[GKPVZ 13a,b]
Can garble many inputs per circuit.Efficiently outsource circuit comp.Extension to TM.Garbled RAM[LO13, GHLORW14]Garble RAM: Garble input:
Size of
, run-time
is O(RAM run-time
).
Reusable Garbled RAM
This Talk!Can garble many inputs per program.Efficiently outsource RAM comp.
Persistent Memory Data:
Garble Data:
Can execute many programs with read/write access to data.
Slide9
Main Results
1-time
Garbled RAMReusable Garbled RAM+Reusable Garbled CircuitsNew security/efficiency requirements. Instantiate with
iO or Functional Rnc.Slide10
Main Result
1-time
Garbled RAMReusable Garbled RAM+Reusable Garbled CircuitsStronger security requirements. Instantiate with “strong diO
” (heuristic obf)
with persistent datawith persistent datawith persistent dataSlide11
Without Persistent DataSlide12
1-Time Garbled RAM Definition
Client
Server
secret:
k
Eval
,
)
without persistent data
GProg
GInp
ut
,
)
O(run-time)
O(run-time)
View can be simulated given
y
O
(|x|,|y|)
Slide13
Reusable Garbled RAM Definition
Client
Server
secret:
k
Eval
,
)
without persistent data
GProg
{
GInput, )
:
i
=1,…}
View can be simulated given
Slide14
Construct reusable
garbled RAM
by combining: one-time garbled RAM (GProg1, GInput1, GEval1) reusable garbled circuits
{
GProg1; ) GInput1,
)
}
,
Size of
= (RAM run-time of
)
|input| = O(|x|)|output| = (RAM run-time of )
Reusable
Gprog
reusable circuit-garbling of
Reusable
Ginput
Choose fresh one-time key
garble input
for
Slide15
Construct reusable
garbled RAM
by combining: one-time garbled RAM (GProg1, GInput1, GEval1) reusable garbled circuits
,
Size of = (RAM run-time of
)
|input| = O(|x|)|output| = (RAM run-time of ) Problem: In reusable garbled circuits of
[GKPVZ13], size of garbled input always exceeds size of circuit output.Unfortunately: This is inherent. Cannot do better if want simulation security.
{
GProg
1;
)
GInput1,
)
}
Slide16
Construct reusable
garbled RAM
by combining: one-time garbled RAM (GProg1, GInput1, GEval1) reusable garbled circuits Solution: Show that we do not need simulation-security for reusable garbled-circuits. A weaker notion suffices. Construct reusable garbled-circuits with weaker security notion but better efficiency needed in construction. Slide17
A
weaker
security notion for garbled circuits. Circuit and independent input distributions : If
satisfy
Then
Can get
huge
output
,
small garbled input
.
Follows from
indistinguishability
obfuscation, or functional encryption for circuits.
Distributional
IndistinguishabilitySlide18
“Real-or-
D
ummy” program
(flag,x,y ) { if flag=1 // real output P(x) else //dummy output y }User: garbles inputs (u=(flag=1, ,
)Simulator: garbles inputs (
u=(flag=0,, )
,
,
(
u=(flag,
{
GProg
1
;
)
GInput
1
,
)
}
Slide19
With Persistent MemorySlide20
1-time Garbled RAM Definition
Client
Server
secret:
k
GData
GProg
GInput
,
)
Eva
,
)
O(run-time)
O(run-time)
with
persistent data
View can be simulated given
O
(|D|)
Slide21
Reusable Garbled RAM Definition
Client
Server
secret:
k
GData
GInput
,
)
Eva
,
)
with
persistent data
View can be simulated given
GProg
Slide22
Use
1-time
G-RAM
to garble data: GData1(D,k)Crucial difference: Before: fresh key k each time.Now: same key k, index .Inputs aren’t independent!Cannot rely on “dis. ind” security of reusable garbled circuits.
,
,
(
u=(flag,
{
GProg
1
,
,
)
GInput
1
,
,
)
}
Slide23
Circuit
and
“correlated” input distributions
:
If
[
Then
Follows from “strong differing-inputs
obf
.” (heuristic).
Can garble circuits with
huge output
,
small garbled input
.
Correlated Distributional
IndistinguishabilitySlide24
Theorem:
Get
reusable garbled RAM
where:Garble, evaluate program: O(RAM run-time P).Garble input = O( input + output size). assuming “ind. obfuscation” + stat. sound NIZK.Theorem: Get reusable garbled RAM with persistent memory where:garble data = O( data size) garble program = O( description size P )garble input = O( input + output size)evaluate = O( RAM run-time P)assuming “strong differing-inputs obfuscation” (heuristic).Slide25
Outsourcing via
Reusable
G-RAM
Client garbles program Pre-processing = run-time Client repeatedly garbles inputs
.Server evaluates
on to get .Evaluation time = run-time )
Client
Server
[ data
].
[ using
]
Slide26
Client learns
.
Server sends it back (+1 round = optimal).
Output privacy: set = encryption of real output. Server sends back .Verifiability: includes (one-time) MAC of real output.
Client
Server
Outsourcing via
Reusable
G-RAMSlide27
Don’t turn me into a circuit!
Thank You!