outsourcing private ram computation
DESCRIPTION
Outsourcing Private RAM Computation. Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi , Mariana Raykova. Problem Overview. Weak client wants to leverage resources of a powerful server to compute without revealing . Efficiency Requirements: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/1.jpg)
Outsourcing Private RAM Computation
Daniel WichsNortheastern University
with: Craig Gentry, Shai Halevi, Mariana Raykova
![Page 2: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/2.jpg)
Problem Overview
• Weak client wants to leverage resources of a powerful server to compute without revealing .
• Efficiency Requirements:– Client does much less work than computing – Server does about as much work as computing
Client Server
𝑥
𝑦=𝑃 (𝑥)
…
![Page 3: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/3.jpg)
• Private outsourcing is possible using Fully Homomorphic Encryption (FHE). [RAD78,Gen09,…]
• But FHE works over circuits rather than RAM programs.
I’m very efficient!
Use FHE! Done?
![Page 4: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/4.jpg)
• Private outsourcing is possible using Fully Homomorphic Encryption (FHE). [RAD78,Gen09,…]
• But FHE works over circuits rather than RAM programs.– RAM complexity circuit or TM complexity – For programs with initial “data in memory”, efficiency gap can be
exponential (e.g., Google search).
Circuits vs. RAM
![Page 5: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/5.jpg)
Goals
• Client’s work: • Server’s work: (RAM run-time of P).
• May allow client pre-processing of P.– Client does one-time computation in O(RAM run-time of P). – Later, outsource many executions of P. Amortized efficiency.
Client Server
𝑥
𝑦=𝑃 (𝑥)
…
![Page 6: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/6.jpg)
Goals
• Basic scenario: client wants to run independent executions of on inputs , ,
• Persistent Memory Data: – Client initially outsources large private ‘memory data’ D. – Program executions can read/write to D.
Client Server
𝑥
𝑦=𝑃 (𝑥)
~𝐷
…
![Page 7: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/7.jpg)
Goals
• Non-interactive solution: “reusable garbled RAM”.
Client Server
![Page 8: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/8.jpg)
Garbled ComputationGarbled Circuits
[Yao82]
Garble circuit: Garble input:
Given only reveals Secure on one input .
Reusable Garbled Circuits[GKPVZ 13a,b]
Can garble many inputs per circuit.
Efficiently outsource circuit comp.Extension to TM.
Garbled RAM[LO13, GHLORW14]
Garble RAM: Garble input:
Size of , run-time is O(RAM run-time ).
Reusable Garbled RAMThis Talk!
Can garble many inputs per program.
Efficiently outsource RAM comp.
Persistent Memory Data:
Garble Data:
Can execute many programs with read/write access to data.
![Page 9: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/9.jpg)
Main Results
1-time Garbled RAM
Reusable Garbled RAM+
Reusable Garbled Circuits
New security/efficiency requirements. Instantiate with iO or Functional Rnc.
![Page 10: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/10.jpg)
Main Result
1-time Garbled RAM
Reusable Garbled RAM+
Reusable Garbled Circuits
Stronger security requirements. Instantiate with “strong diO” (heuristic obf)
with persistent data
with persistent data
with persistent data
![Page 11: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/11.jpg)
Without Persistent Data
![Page 12: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/12.jpg)
1-Time Garbled RAM Definition
Client Serversecret: k
Eval, )
without persistent data
GProg
GInput, )
O(run-time)
O(run-time)
View can be simulated given
y
O(|x|,|y|)
![Page 13: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/13.jpg)
Reusable Garbled RAM Definition
Client Serversecret: k
Eval, )
without persistent data
GProg
{ GInput, ) : i=1,…}
View can be simulated given
![Page 14: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/14.jpg)
• Construct reusable garbled RAM by combining:– one-time garbled RAM (GProg1, GInput1, GEval1) – reusable garbled circuits
𝑥 ,𝑘
{ GProg1; ) GInput1, )
}
,
• Size of = (RAM run-time of )• |input| = O(|x|)• |output| = (RAM run-time of )
Reusable Gprog reusable circuit-garbling of
Reusable Ginput Choose fresh one-time key garble input for
![Page 15: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/15.jpg)
• Construct reusable garbled RAM by combining:– one-time garbled RAM (GProg1, GInput1, GEval1) – reusable garbled circuits
𝑥 ,𝑘
,
• Size of = (RAM run-time of )• |input| = O(|x|)• |output| = (RAM run-time of )
Problem: In reusable garbled circuits of [GKPVZ13], size of garbled input always exceeds size of circuit output.
Unfortunately: This is inherent. Cannot do better if want simulation security.
{ GProg1; ) GInput1, )
}
![Page 16: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/16.jpg)
• Construct reusable garbled RAM by combining:– one-time garbled RAM (GProg1, GInput1, GEval1) – reusable garbled circuits
• Solution: – Show that we do not need simulation-security for
reusable garbled-circuits. A weaker notion suffices. – Construct reusable garbled-circuits with weaker security
notion but better efficiency needed in construction.
![Page 17: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/17.jpg)
• A weaker security notion for garbled circuits. Circuit and independent input distributions :– If satisfy – Then
• Can get huge output, small garbled input. – Follows from indistinguishability obfuscation, or functional encryption for
circuits.
Distributional Indistinguishability
![Page 18: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/18.jpg)
• “Real-or-Dummy” program (flag,x,y ) {
if flag=1 // real output P(x) else //dummy output y }
• User: garbles inputs (u=(flag=1, , )
• Simulator: garbles inputs ( u=(flag=0,, )
,
𝑥 ,𝑘
,
(u=(flag,
{ GProg1; ) GInput1, )
}
𝑢 ,
![Page 19: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/19.jpg)
With Persistent Memory
![Page 20: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/20.jpg)
1-time Garbled RAM Definition
Client Serversecret: k
GData
GProg
GInput, )
Eva, )
O(run-time)
O(run-time)
with persistent dataView can be
simulated given
O(|D|)
![Page 21: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/21.jpg)
Reusable Garbled RAM Definition
Client Serversecret: k
GData
GInput, )
Eva, )
with persistent dataView can be
simulated given
GProg
![Page 22: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/22.jpg)
• Use 1-time G-RAM to garble data: GData1(D,k)
• Crucial difference: – Before: fresh key k each time.– Now: same key k, index .
• Inputs aren’t independent!– Cannot rely on “dis. ind”
security of reusable garbled circuits.
,
𝑥 ,𝑘
,
(u=(flag,
{ GProg1, , ) GInput1, ,)
}
𝑢 ,
~𝐷
![Page 23: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/23.jpg)
• Circuit and “correlated” input distributions :– If [– Then
• Follows from “strong differing-inputs obf.” (heuristic).– Can garble circuits with huge output, small garbled input.
Correlated Distributional Indistinguishability
![Page 24: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/24.jpg)
• Theorem: Get reusable garbled RAM where:– Garble, evaluate program: O(RAM run-time P).– Garble input = O( input + output size).
assuming “ind. obfuscation” + stat. sound NIZK.
• Theorem: Get reusable garbled RAM with persistent memory where:– garble data = O( data size) – garble program = O( description size P )– garble input = O( input + output size)– evaluate = O( RAM run-time P)assuming “strong differing-inputs obfuscation” (heuristic).
![Page 25: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/25.jpg)
Outsourcing via Reusable G-RAM
• Client garbles program – Pre-processing = run-time
• Client repeatedly garbles inputs .• Server evaluates on to get .– Evaluation time = run-time )
Client Server
𝑦 𝑖=𝑃 (𝑥 𝑖)
~𝐷
~𝑃
~𝑥 𝑖
[ data ].
[ using ]
![Page 26: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/26.jpg)
• Client learns . Server sends it back (+1 round = optimal). • Output privacy: set = encryption of real output. Server
sends back .• Verifiability: includes (one-time) MAC of real output.
Client Server
𝑦 𝑖=𝑃 (𝑥 𝑖)
~𝐷
~𝑃
~𝑥 𝑖
Outsourcing via Reusable G-RAM
![Page 27: Outsourcing Private RAM Computation](https://reader038.vdocuments.us/reader038/viewer/2022102808/56812a98550346895d8e4c48/html5/thumbnails/27.jpg)
Don’t turn me into a circuit!
Thank You!