Yao's Garbled Circuit protocol allows two parties to jointly compute a function on their private inputs without revealing the inputs. The document discusses how to construct an encrypted AND gate as part of a garbled circuit to hide the parties' inputs. It also describes optimizations like TinyGarble that adapt hardware synthesis techniques to generate compact sequential garbled circuits in order to improve scalability for secure computation. Finally, it mentions oblivious RAM techniques like dummy accesses that aim to hide the access pattern to outsourced data storage and prevent frequency analysis attacks.
2. Secure Compu-ng
• Nowadays,
concept
of
computa2on
out-‐sourcing
is
wide
spread
• Especially
for
mobile
• How
can
we
ensure
the
confiden2al
• Compu2ng
Outsourced
ServerClient
• Trusted
Compu2ng
Base
CPU Memory
3. Thread Model
• Securely
Outsourcing
Data
-‐
Store,
access,
and
update
data
on
an
untrusted
server.
• What’s
untrusted
mean?
• Honest
–
server
never
modify
the
data,
integrity
OK
• Curious
–
server
try
to
monitor
the
data
access,
not
Confiden2al
4. Untrusted
Trusted
Zone
Secure Func-on Evalua-on
• How
to
hide
the
data
content
• Simple
Encryp2on
?
• No,
the
other
party
need
to
do
some
computa2on
on
the
data
• Secure
func2on
evalua2on
(SFE)
• how
two
par2es
can
collaborate
to
correctly
compute
func2on
without
reveal
their
inputs
to
the
func2on
• E.g.
Yao’s
Garbled
Circuit,
homomorphic
encryp2on
ServerClient
5. Yao’s Garbled Circuit
• A
method
that
enables
two
par2es
with
private
inputs
x
and
y
to
jointly
compute
a
func2on
f(x,y)
• Privacy
-‐
Nothing
is
learned
from
the
protocol
other
than
the
output
• Base
on
the
Boolean
Circuit
• A
garbled
boolean
circuit
is
a
collec2on
of
garbled
boolean
gates.
• Construct
en2re
garbled
circuit
from
boolean
circuit
6. AND Gate
x
y
z
0
0
0
0
1
0
1
0
0
1
1
1
INPUT
wires
OUTPUT
wires
7. Encrypted AND Gate
• For
each
wire
x,y,z,
specify
two
random
values,
corresponding
to
0
and
1
Value
0
Value
1
x
k0
x
k1
x
y
k0
y
k1
y
z
k0
z
k1
z
8. Construct GCT
• Garbled
Computa2on
Table
(GCT)
• “associate”
kz0,
kz1
with
kx0,
kx1,
ky0,
ky1
• Given
two
input
keys
kxa
and
kyb,
only
one
row
of
the
GCT
can
be
decrypted
correctly,
namely:
E
a(E
b(kg(a,b))).
•
9. Construc-on of a Garbled Gate
1. Alice
picks
two
random
keys
for
each
wire
thus
she
has
6
keys
in
total
2. She
encrypts
each
row
of
the
table,
crea2ng
the
GCT
10. Transfer Data to Untrusted User
• She
permutes
it
(rearranges
it),
so
that
the
key’s
posi2on
reveals
nothing
about
the
value
that
it
is
associated
with.
• She
sends
it
over
to
Bob,
along
with
her
input
key
kbʹ′,
with
bʹ′
her
input
value.
11. Evalua-on The Secret Func-on
• Bob
now
has
kbʹ′
,
kb
and
the
GCT
and
he
can
compute
the
gate
by
decryp2ng
GCT.
• He
can
decrypt
only
one
line
of
the
GCT,
exactly
because
of
its
construc2on.
• Sends
output
kg(bʹ′,b)
to
Alice
and
the
computa2on
of
the
z
garbled
gate
is
over.
12. • What
Alice
have
in
the
end?
• What
Bob
can
observe?
• GCT
13. Yao’s Garbled Circuit
• Yao’s
Garbled
Circuit
can
do
simple
computa2on
• We
can
construct
more
complicated
circuit
by
simplest
one
• Without
the
limita2on
of
space
and
2me,
Yao’s
Garbled
Circuit
can
help
us
to
do
any
computa2on
• Without
revealing
the
input
data
18. Sequen-al Circuit
• Combina2onal
circuit
• Output
are
only
func2ons
of
inputs
• Sequen2al
circuit
• Output
are
func2ons
of
both
input
and
circuit
state
20. Summary
• Adap2on
of
established
HDL
synthesis
techniques
to
compile
and
op2mize
a
func2on
into
a
netlist
of
gates
for
use
in
secure
computa2on
protocols
• Ship
tradi2onal
circuit
op2miza2on
to
construct
garbled
circuit
21. Secure Enough?
• Now,
the
data
can
be
stored
in
the
untrusted
storage
with
some
simple
computa2on
• But
the
access
trace
may
leave
some
clue
• E.g.
only
few
client
will
access
to
certain
field
• Therefore,
we
want
to
hide
the
access
trace
next.
23. Core Concept
• Dummy
Read
• Read
mul2ple
data
once,
so
acacker
cannot
guess
the
real
data
• Dummy
Write
• To
make
read/write
dis2nguish,
every
opera2on
contain
both
read/write
opera2on
• Afer
a
read,
a
block
must
relocate
• If
we
leave
data
in
the
fixed
loca2on,
it
can
be
frequency
analysis
• Against
frequency
analysis
24. Path ORAM
• Data
in
memory
is
organized
in
the
Binary
Tree
format
• Each
node
is
called
bucket,
which
can
save
several
data
• CPU
maintain
the
private
informa2on,
posi2on
map
• Posi2on
map
save
the
path
the
corresponding
data
locate
25. Basic Format
d1
d5
d0
d1
d2
d3
d4
d5
d6
d7
d8
1
2
PosiDon
Map
D1
is
saved
in
some
node
in
path
1
0
1
2
3
memory
CPU
26. Read A Data Record D1
d1
d5
d0
d1
d2
d3
d4
d5
d6
d7
d8
1
2
PosiDon
Map
0
1
2
3
memory
CPU
We
can
find
D1
along
the
Path
1
27. Reinjec-on the Data
d1
d5
d0
d1
d2
d3
d4
d5
d6
d7
d8
2
2
PosiDon
Map
0
1
2
3
memory
CPU
Choose
other
path
28. Reinjec-on the Data
• We
will
move
the
data
D1
to
some
node
of
path
2
• However
if
we
write
some
value
in
path
2,
acacker
can
observe
some
data
move
from
path
1
to
path
2
• The
rela2onship
may
be
reveal
• The
only
node
can
put
D1
is
the
root
node
29. Reinjec-on the Data
d1
d5
d0
d1
d2
d3
d4
d5
d6
d7
d8
2
2
PosiDon
Map
0
1
2
3
memory
CPU
Choose
other
path
30. Problem
• Acack
can
guess
the
most
recent
access
node
is
put
in
root
• The
root
have
limited
size
bucket
to
save
data
• To
solve
both
problem,
evic2on
is
used
• In
briefly,
evic2on
is
to
move
the
overflow
data
into
child
bucket
31. Reinjec-on the Data
….
d1
d5
d0
d1
d2
d3
d4
d5
d6
d7
d8
2
2
PosiDon
Map
0
1
2
3
memory
CPU
Choose
other
path
If
root
node
overflow,
1. Make
a
real
write
2. Make
the
dummy
write
Dummy
Write
32. Summary Path-‐based ORAM
1. Save
data
in
the
node
among
the
path
• Path
depend
on
the
secret
posi2on
map
in
CPU
2. Afer
each
access,
re-‐inject
it
to
the
new
path
• Also
update
posi2on
map
3. Evic2on
• Check
the
bucket
size,
move
the
overflow
data
to
the
leaf
33. Summary Path-‐based ORAM
• Save
data
among
the
path
• Acacker
cannot
iden2fy
which
one
is
real
data
• Re-‐inject
the
data
• Data
reloca2on,
access
history
give
no
informa2on
to
acacker
–
oblivious
• Evic2ons
• Move
data
move
down
to
the
tree
leaf,
leave
no
rela2on
for
acacker
35. Problem
•
There
is
the
gap
between
programmer
and
cryptographer
• Impera2ve
languages
• Circuit
Model
• ObliVM
• A
tool
to
convert
C-‐like
program
to
garbled
circuit
36. Bridge the Gap
• ObliVM
• A
tool
to
convert
C-‐like
program
to
garbled
circuit
37. Oblivious Data Structure
• Security
labels
• secure
int10[
public
1000]
keys
• This
array
will
be
secret
shared
but
not
placed
in
ORAMs.
• secure
int10[
secure
1000]
keys
• This
array
will
be
placed
in
a
secret-‐shared
ORAM,
and
we
allow
secret
indices
into
the
array.
38. Phantom Mode Func-on
• The
program
itself
must
be
memory
and
instruc2on-‐trace
obliviousness
• The
execu2on
trace
should
be
iden2cal
every
execu2ons
• Phantom
Mode
Func2on
• execu2ng
both
branches,
with
one
branched
really
executed,
and
the
other
executed
phantomly
39. Loop Coalescing
• Transfer
nested
loop
into
single
layer,
using
concept
of
state
machine
• Translate
each
code
into
the
new
state
• Simulates
a
state
machine
that
each
state
contains
a
code
block
• Branching
statement
at
the
end
of
each
code
block
will
be
translated
into
an
assignment
statement
that
moves
the
state
machine
into
a
next
state
40. Programmer’s Abstract
• Cryptography
expert
programmer
provides
library
support
for
implemen2ng
a
class
of
pointer-‐based
data
structures
• non-‐specialist
programmer
can
implement
data
structures
which
will
be
compiled
to
efficient
oblivious
algorithms
that
outperform
generic
ORAM
42. Other Papers
• Privacy
and
Access
Control
for
Outsourced
Personal
Records
• Improve
the
tree-‐based
ORAM
with
capability
of
access
control
• GraphSC:
Parallel
Secure
ComputaDon
Made
Easy
• Develop
graph-‐based
programming
framework
based
on
ObliVM