Oblivious Data Abstractions: Circuit Structures and Square-Root ORAM

Transcript

1. Data-Oblivious Data David Evans www.cs.virginia.edu/evans 10 May 2016

2. Plan Memory for Data-Oblivious Computation Special-Purpose Data Structures: Circuit Structures

   Aside: Programming Secure Computations: Obliv-C General-Purpose Memory: Square-Root ORAM

3. Crazy Things in Typical Code 3 a[i] = x SameeZahur

   and David Evans. Circuit Structures for Improving Efficiency of Security & Privacy Tools. IEEE Security and Privacy (Oakland) 2013.

4. Circuit for Array Update 4 a[i] = x i ==

   0 a[0] x a'[0] i == 1 a[1] x a’[1] i == 2 a[2] x a’[2] …

5. Easy (and Common) Case 5 for (i = 0; i

   < n; i++) a[i] += 1 a[0] a[1] a[2] a[n-1] … +1 +1 +1 +1

6. Locality: Stacks and Queues 6 if (x != 0) a[i]

   += 1 if (a[i] > 10) i += 1 a[i] = 5 t := a.top() + 1 a.cond_update(x != 0, t) a.cond_push(x != 0 && t > 10, *) a.cond_update(x != 0, 5) Data-oblivious code No branching allowed

7. Naïve Conditional Push 7 … p x a[0] a[1] a[2]

   … a’[0] a’[1] a’[2] …

8. Naïve Conditional Push 8 … True 7 2 9 3

   … 7 2 9 …

9. More Efficient Stack 9 Level 0: 2 9 3 t

   = 3 Level 1: 4 7 t = 2 5 4 Level 2: 8 8 2 3 8 6 … Block size = 2level Each level has 5 blocks, at least 2 full and 2 empty t = 3

10. 10 2 9 3 t = 3 4 7 t

    = 2 5 4 Level 0 t = 3 Level 1 Level 2 Conditional push (True, 7) 7 2 9 3 t = 4 4 7 t = 2 5 4 t = 3 Conditional push (True, 8) 8 7 2 9 3 t = 5 4 7 t = 2 5 4 t = 3 Shift 8 2 7 t = 3 4 7 t = 3 5 4 9 3 t = 3

11. 11 2 9 3 t = 3 4 7 t

    = 2 5 4 Level 0 t = 3 Level 1 Level 2 Conditional push (True, 7) 7 2 9 3 t = 4 4 7 t = 2 5 4 t = 3 Conditional push (True, 8) 8 7 2 9 3 t = 5 4 7 t = 2 5 4 t = 3 Shift 8 2 7 t = 3 4 7 t = 3 5 4 9 3 t = 3 Amortized Θ(log n) gates per operation

12. Efficient queue operations

13. Evaluation

14. Spatial Locality Not just for stacks and queues Access cost

    Θ log

15. Temporal Batching

16. 0 2 7 9 'A' 'U' 'M' 'R' 'D' 'Y'

    'K' 'C' Batching Array Accesses 16 m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Execution trace: indexes and values are private values

17. 17 m[0] = 'A' m[2] = 'U' m[9] = 'M'

    m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Batching Updates

18. 18 m[0] = 'A' m[2] = 'U' m[9] = 'M'

    m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Batching Updates

19. 19 m[0] = 'A' m[2] = 'U' m[9] = 'M'

    m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Compare Adjacent m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Batching Updates

20. 20 m[0] = 'A' m[2] = 'U' m[9] = 'M'

    m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Compare Adjacent m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Batching Updates

21. 21 Batching Updates m[0] = 'A' m[2] = 'U' m[9]

    = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Compare Adjacent m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K'

22. 22 = 'A' = 'U' = 'M' = 'R' =

    'D' = 'Y' = 'K' = 'C' Sort by Key m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' stable sort! Compare Adjacent m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' m[0] = 'D' m[2] = 'U' m[7] = 'C' m[9] = 'K' m[0] = 'A' m[7] = 'R' m[9] = 'M' m[9] = 'Y' Sort by Liveness output wires Discarded

23. Temporal Batching Θ(n log2 n)

24. Example Application: DBScan 24 Density-based clustering: depth-first search to find

    dense clusters Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu. KDD 1996 Alice’s Data Bob’s Data Joint Clusters

25. 25 Private Input: P – array of points (combines private

    points from both parties) Public inputs:minpts, radius Output:cluster number for each point Conditional Push! Array update!

26. 26 0 5000 10000 15000 20000 25000 30000 35000 40000

    60 120 240 480 Execution Time (seconds) Data Size Optimized Structures Normal Data Structures 9.7 hours 55 minutes

27. Data-Oblivious Memory Specialized memory access Circuit structures, protocol agnostic Stacks,

    queues, batched map operations General random access Oblivious RAM But first…Obliv-C

28. Tools for Building Secure Computations Library-based frameworks: Circuit-level programs Full

    control Low-level programming Little type safety High-level Languages Little control High-level programming Strong type safety

29. Tools for Building Secure Computations Library-based frameworks: Circuit-level programs Full

    control Low-level programming Little type safety High-level Languages Little control High-level programming Strong type safety PICCO

30. Library-based frameworks: Circuit-level programs Full control Low-level programming Little type

    safety High-level Languages Little control High-level programming Strong type safety High-level programming Low-level customizability Helpful, escapabletype checking Tools for Building Secure Computations

31. Obliv-C

32. Obliv-C

33. Obliv-C

34. Obliv-C

35. Obliv-C #include <million.h> int main (int argc, char ∗argv[]) {

    ProtocolDesc pd; ProtocolIO io; int p = (argv[1] == ’1’ ? 1 : 2); sscanf(argv[2], "%d", &io.myinput); // ... set up TCP connections setCurrentParty(&pd, p); execYaoProtocol(&pd, millionaire, &io); printf("Result: %d\n", io->cmp); // ... cleanup }

36. Oblivious Conditionals from obinary_search

37. Actual code…with all the ugly parts

38. Escaping ~obliv(var) { … } Code inside ~obliv always executes

    regardless of oblivious condition var is Boolean: oblivious condition Programmer has control! But, not security risk: all private data is still encrypted

39. Implementing Oblivious Queue

40. None

41. http://oblivc.org/

42. Historical Excursion Journal of the ACM, January 1968

43. Delay Lines 43

44. Mercury Delay Lines 44 0/1

45. Why Mercury? 45 Speed of Sound Air 343 m/s Mercury

    1450 m/s (40° C) Water 1500 m/s (25° C)

46. Why Mercury? 46 Speed of Sound Air 343 m/s Mercury

    1450 m/s (40° C) Water 1500 m/s (25° C)

47. 47

48. 48 (In same Jan 1968 JACM as Waksman Network!)

49. 49

50. 50 MIT Project Whirlwind, 1951 2K 16-bit words with “no

    waiting”! Magnetic Core Memory

51. Oblivious RAM

52. Linear Scan Doesn’t Scale Writing a single 32-bit integer: 32

    logic gates Raw Yao’s performance ≈ 1 million gates per second Write speed ≈ 31,250 elements per second (not hiding access pattern) For hiding access pattern, 216 elements per write Around 2 seconds per access

53. SC-ORAM in Practice • Only faster than linear scan for

    large memories (> 214 blocks) • Expensive to initialize: – Repeated writes – 2 weeks! From Yan’s talk this morning

54. Circuit ORAM Access time Xiao Wang, Hubert Chan, and Elaine

    Shi. Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound. In ACM CCS 2015.

55. SC-ORAM in Practice • Only faster than linear scan for

    large memories (> 214 blocks) • Expensive to initialize: – Repeated writes – 2 weeks! From Yan’s talk this morning Circuit ORAM Square-Root ORAM

56. Results Summary (Not including initialization cost)

57. Classical Square-Root ORAM

58. Problems with SQ-ORAM Design • Requires a PRF for each

    ORAM access – PRF is a big circuit in MPC • Initialization requires PRF evaluations • Requires oblivious sort twice: – Shuffling memory according to PRF – Removing dummy blocks

59. Problems with GO’s SQ-ORAM • Requires a PRF for each

    ORAM access – PRF is a big circuit in MPC • Initialization requires PRF evaluations • Requires oblivious sort twice: – Shuffling memory according to PRF – Removing dummy blocks Solution strategy: use random permutation instead of PRF

60. Shuffling Network [Waksman 1968] Cost per shuffle: 5B

61. 4-Block ORAM

62. 4-Block ORAM Cost: 5B + B +2B +3B + …

    = 11B every 3 accesses

63. Linear scan Cost: 4B = 12B/3 Our scheme Cost: 11B/3

    Less expensive than linear scan for 4 blocks (8 with overhead)
64. None

65. Logical index/4 Logical index/2

66. Logical index/4 Logical index/2

67. Logical index/4 Logical index/2 read a[8] First Access

68. Logical index/4 Logical index/2 read a[8] First Access

69. Logical index/4 Logical index/2 read a[8] First Access

70. Logical index/4 Logical index/2 read a[8] First Access

71. Logical index/4 Logical index/2 read a[8] First Access

72. AfterFirst Access Used

73. Second Access read a[9]

74. Second Access read a[9]

75. Second Access read a[9] Randomly select unused element

76. Second Access read a[9] Randomly select unused element Randomly select

    unused element

77. Second Access read a[9] Randomly select unused element Randomly select

    unused element

78. Second Access read a[9] Randomly select unused element Randomly select

    unused element

79. After Second Access

80. Third Access read a[8]

81. Third Access read a[8]

82. Third Access read a[8]

83. Amortized cost: Θ log9 per access

84. Inexpensive (Re-)Initialization

85. None

86. Creating position map

87. Creating position map

88. Inverse permutation

89. Inverse permutation

90. 16-byte blocks 32-byte blocks Pre-Access Cost (not counting initialization)

91. 16-byte blocks 32-byte blocks Whirlwind I (1951) 30 s, 2048

    x 16-bit words

92. 16-byte blocks 32-byte blocks Z3 (1941) Whirlwind I (1951) 30

    s, 2048 x 16-bit words

93. Wall-clock time in seconds for full protocol between two EC2

    C4.2xlarge nodes (1.03 Gbps)

94. ∼32 minutes 55,000x standard execution Wall-clock time in seconds for

    full protocol between two EC2 C4.2xlarge nodes (1.03 Gbps)

95. ∼33 hours (“wikipedia” version) Improved to ∼1 hour with custom

    structures Wall-clock time in seconds for full protocol between two EC2 C4.2xlarge nodes (1.03 Gbps)

96. Open Problems • Scalability: poly-logarithmic hierarchical ORAM design • Automatic

    optimization: using custom data structures when memory access predictable • Stronger security models: active security – All results are semi-honest model • Establishing Meaningful Trust 64 KB memory 1 s access (∼2000x improvement)

97. Collaborators Samee Zahur (UVA) Jack Doerner (UVA) Adrià Gascón (U

    of Edinburgh) Jonathan Katz (U Maryland) Mariana Raykova (SRI, Yale) Xiao Wang (U Maryland) Paper: Revisiting Square-Root ORAM Efficient Random Access in Multi-Party Computation IEEE Symposium on Security and Privacy (Oakland), May 2016 http://oblivc.org/docs/sqoram.pdf Code: http://oblivc.org

98. David Evans [email protected] www.cs.virginia.edu/evans OblivC.org mightBeEvil.org