Adaptively Secure Succinct Garbled RAM with Persistent Memory

Size: px

Start display at page:

Download "Adaptively Secure Succinct Garbled RAM with Persistent Memory"

April Johnston
5 years ago
Views:

1 Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10,

2 : June 11, 2016, Boston, heavy snow. 2

3 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. 3

4 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. Alice 4

5 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. : Instead of submitting to STOC, she thinks it s cool to write a program and show off to her friends. 5

6 > Factoring.hs RSA2048 6

7 > Factoring.hs RSA2048 Running time 7 hrs 34 mins = x Next question 7

8 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. 8

9 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. : So she turns to cloud, but clouds are big brothers 9

10 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. : So she turns to cloud, but clouds are big brothers : She heard that one can delegate the computation in a way that the server learns only the output of the computation but nothing else 10

11 My friends and NSA will be shocked by the runtime without learning anything other than the output 11

12 The algorithm has huge preprocessing, stores lots of nonzero points on the Zeta function... My friends and NSA will be shocked by the runtime without learning anything other than the output 12

13 The algorithm has huge preprocessing, stores lots of nonzero points on the Zeta function... My friends and NSA will be shocked by the runtime without learning anything other than the output Wait... the audiences already know too much. 13

14 > sudo apt-get install FHE 14

15 > sudo apt-get install FHE > FHE Factoring.hs 15

16 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... 16

17 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C 17

18 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs 18

19 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits... #Yao 19

20 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits... ^C^C^C^C^C^C^C > 20

21 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs 21

22 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n) 22

23 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n) n > 23

24 > sudo apt-get install PRAM 24

25 > sudo apt-get install PRAM > PRAM Factoring.hs 25

26 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring 26

27 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA

28 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user s own risk, continue (y) or not (n) 28

29 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user s own risk, continue (y) or not (n) n 29

30 Huge amount of preprocessed data reusable Adaptively pick integers Don t turn into circuits, don t blow up too much 30

31 Garbling/randomized encoding for RAM with persistent memory 31

32 Garbling/randomized encoding for RAM with persistent memory Gen => msk 32

33 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) 33

34 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) msk + P1 => G(P1) 34

35 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) msk + P1 => G(P1) Eval G(D0) G(P1) => P1(D0) 35

36 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval G(D0) G(P1) => P1(D0) G(D1) 36

37 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval msk G(D0) + P2 G(P1) => => P1(D0) G(D1) G(P2) 37

38 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval msk Eval... G(D0) + P2 G(D1) G(P1) => => P1(D0) G(D1) G(P2) G(P2) => P2(D1) G(D2) 38

39 Garbling/randomized encoding for RAM with persistent memory D0 Succinct G(D0) P1 G(P1) 39

40 Garbling/randomized encoding for RAM with persistent memory Adaptively simulation secure?? P1(D0) 40

41 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0) G(P1) <= P1(D0) Adaptively simulation secure G(D1) 41

42 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0) G(P1) Adaptively simulation secure <= P1(D0) G(D1)? G(D1) P2(D1) 42

43 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0)? G(D1) G(P1) => <= P1(D0) Adaptively simulation secure G(D1) G(P2) G(P2) <= P2(D1) G(D2) 43

44 Theorem 44

45 [Main Theorem] Adaptively secure succinct garbled RAM with persistent memory from indistinguishability obfuscation for circuits, and poly-to-1 collision-resistant hash function. 45

46 Starring 46

47 Indistinguishability Obfuscator 47

48 Indistinguishability Obfuscator for circuits Defined by [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Security: io[ F0 ] io[ F1 ] if F0 and F1 have identical functionality Candidate constructions: [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13], [Barak-Garg-Kalai-Paneth-Sahai 14], [Brakerski-Rothblum 14], [Pass-Seth-Telang 14], [Zimmerman 15], [Applebaum-Brakerski 15], [Ananth-Jain 15], [Bitansky-Vaikuntanathan 15], [Gentry-Gorbunov-Halevi 15], [Lin 16], Cryptanalyses: [Cheon-Han-Lee-Ryu-Stehle 15], [Coron et al 15], [Miles-Sahai-Zhandry 16],... 48

49 Poly-to-one Collision Resistant Hash function 49

50 Poly-to-one collision resistant hash functions H is collision resistant + each image has at most poly preimages. [Thm] Exists for constant c, assuming Factoring or Discrete-log is hard. 50

51 The rest of the talk: 1. The main idea of the construction. 2. The technical heart: adaptively-enforceable accumulator. 3. Wrap up, and the easiest ways to think of our scheme. 51

52 Starting point: Canetti-Holmgren s selective secure scheme. 52

53 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. 53

54 You never know how hard it is to use io before actually play with it. [ said Justin Holmgren, June 22, 2015, sunny ] 54

55 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure 55

56 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] 56

57 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] 57

58 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] 58

59 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 59

60 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 60

61 Canetti-Holmgren (ITCS16) 61

62 Canetti-Holmgren (ITCS16) + Zoom-in the core step: 62

63 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature 63

64 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature Accumulator io-friendly Merkle-tree What is written in eprint 2015/

65 Canetti-Holmgren (ITCS16) + Zoom-in the core step: G(D0) in iti ali ze Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature Accumulator io-friendly Merkle-tree What is written in eprint 2015/

66 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te Authentica G(Pi+1) key What is written in eprint 2015/

67 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica key upda te G(Di+1) What is written in eprint 2015/

68 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator 68

69 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 69

70 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 70

71 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 71

72 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 72

73 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. x* #Merkletree 73

74 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* #Merkletree 74

75 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* KLW s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->h*, H H* #Merkletree 75

y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree.

76 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* KLW s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->h*, H H* #Merkletree Alternatively: SSB hashing => [Ananth-Chen-Chung-Lin-Lin] 76

77 Selective Enforcing Adaptive Enforcing 77

78 Selective Enforcing Adaptive Enforcing x* <= Adversary 78

79 Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* 79

80 Selective Enforcing x* <= Adversary Adaptive Enforcing Gen( ) => H Gen( ) => H Enforcing(x*, y*) => H* 80

81 Selective Enforcing x* <= Adversary Gen( ) => H Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* 81

82 Selective Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* 82

83 Selective Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* ( wait, what?) 83

84 #Mindblowing 84

85 Fact I Can separate the key 85

86 key = hk + vk in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica key upda te G(Di+1) What is written in eprint 2015/

87 key = hk + vk G(D0) in iti ali ze hk Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica vk key upda te hk G(Di+1) What is written in eprint 2015/

88 Adaptive Enforcing hk 88

89 Adaptive Enforcing hk x* <= Adversary( hk ) 89

90 Adaptive Enforcing hk x* <= Adversary( hk ) vk vk*(x*) 90

91 Fact II If you believe dio... 91

92 key = hk + vk Adaptive Enforcing 92

93 key = hk + Adaptive Enforcing vk hk always_hk_gen( ) -> hk := CRHF key h 93

94 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) always_hk_gen( ) -> hk := CRHF key h 94

95 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) vk always_hk_gen( ) -> hk := CRHF key h normal_vk_gen( ) -> vk vk(x,y) = dio( if h(x)=y, output 1; else: output 0 ) 95

96 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) vk always_hk_gen( vk*(x*) ) -> hk := CRHF key h normal_vk_gen( ) -> vk vk(x,y) = dio( if h(x)=y, output 1; else: output 0 ) enforce_vk_gen( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 96

97 Fact III: If you don t believe dio, can still do this with io. 97

98 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring 98

99 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 99

100 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) By dio-io equivalence lemma [ Boyle-Chung-Pass 14 ]: If f1 and f2 differ only on polynomially many input-output values, and they are hard to find, then io(f1) io(f2) 100

101 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) From shrinking 1 bit to length-halving: Merkle-Damgaard. 101

102 Fact IV: Adaptive Enforceable Accumulator done 102

103 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 103

104 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] 104

105 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] Need a special property of the ORAM Strong local randomness, satisfied by Chung-Pass ORAM. With this property, can guess polynomially many addresses. 105

106 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] SS [H B ha [O ubac sh PW ek W -W ] ich Need a special property of the ORAM Strong local randomness, satisfied by Chung-Pass ORAM. With this property, can guess polynomially many addresses. s] [Ananth-Chen-Chung-Lin-Lin, eprint 2015/1082] can be viewed as accomplishing this for all the steps. 106

Summary 1. 2. 3. 4. 5. Adaptively secure garbled RAM with persistent memory. Everything is succinct.

107 Summary Adaptively secure garbled RAM with persistent memory. Everything is succinct. Upgrading to delegation with verifiability is almost for free. Reusability is natural. New io-friendly tool: adaptively-enforceable accumulator (from io+preimage-bounded-crhf) 107

108 Scenes 108

109 109

110 > sudo apt-get install GRAM_Canetti_Holmgren 110

111 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) 111

112 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y 112

113 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done 113

114 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA

115 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA2048 Running time 1.0s = x Next question 115

Yilei Chen Craig Gentry Shai 2017

Yilei Chen Craig Gentry Shai 2017 e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 07 976, Diffie, Hellman: We stand today on the brink