CS7380: Privacy Aware Computing
description
Transcript of CS7380: Privacy Aware Computing
![Page 1: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/1.jpg)
CS7380: Privacy Aware Computing
Oblivious RAM
•1
![Page 2: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/2.jpg)
Motivation Starting from software protection
Prevent from software piracy A valid method is using hardware key to
protect the validity of the software; hardware key cannot be duplicated
Still the memory access between the HW and SW components can leak information Attacker can deceive or skip the checking
with the HW component
![Page 3: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/3.jpg)
Basic ORAM achitecture
Client ORAM Emulator Server
-stores probabilistically encrypted data items- Honest but curious
- Has cache
Randomized access patternsCannot be distinguishedFrom a client to another
![Page 4: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/4.jpg)
Oblivious RAM definition How to protect from observing memory
access pattern? Memory access is probabilistic The probabilistic distribution is independent
of the input
![Page 5: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/5.jpg)
ORAM vs PIR
![Page 6: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/6.jpg)
Trivial solution
1. Everything is in the cache, no server access
2. Or, scan the whole server memory each time
3. Client access the memory slot at most once, then the emulator permutates the accesses
![Page 7: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/7.jpg)
Some theoretical results Thereom (1990): Any ORAM emulator
must perform Omega(tlogt) operations to simulate t operations
Thereom (2010): Any ORAM emulator must either perform Omega(tloglogt) operations or use storage Omega(N2-o(1)) on the server to simulate t operations
![Page 8: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/8.jpg)
Practical settings o(N) client storage o(N) amortized overhead Handling repeated accesses to
addresses
Desired optimal ORAM O(log N) worst-case overhead O(1) client storage between operations O(1) client memory usage during operations Stateless client: no need to trace historical
queries
![Page 9: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/9.jpg)
Oblivious shuffling Pseudo Random Permutation(PRP): A
key-based generated permutation cannot be distinguished from a pure random permutation P(key, {1..n}) -> a unique permutation of
{1..n}
Oblivious shuffling: given a permutation, the data can be shuffled with a set of ops independent of data or permutation Using oblivious sorting network
![Page 10: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/10.jpg)
Example: oblivious sorting An array: A Operation: OSWAP(I, J), if A[i] > A[j]
swap To sort 4 elements, regardless of the
actual values, you can perform the following sequence of operations
1. OSWAP(1, 2), OSWAP(3, 4) 2. OSWAP(1, 3), OSWAP(2, 4) 3. OSWAP(2, 3)
![Page 11: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/11.jpg)
Oblivious sorting Batcher: n log2 n, fast in practice AKS: n log n, slow in practice Randomized shell sort: n log n, fast in
practice
![Page 12: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/12.jpg)
Key operations Oblivious random permutation
define a random mapping f: {1,2,..,n} -> {1,2,..,nlogn}. Use the tag f(i) for each item i. So that (i)=k if f(i) is the k-smallest in f(1)..f(n)
Using Batcher’s Sorting Network to sort tags f(i) to achieve permutation – the sequence of access if fixed, independent of input.
For each access, read the pair and rewrite them (re-encrypted)
binary search over the sorted tags f(i) to find (i)
![Page 13: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/13.jpg)
First solution: the square-root algorithm
1. For each accesses, permute the first n+ memory 2. For accessing a word, check the cached words first. If it is there, we access one of the dummy words3. If it is not there, find the permuted location (i).4. Write data into the cache5. Reshuffle with new permutation key and flush cache after every reads
t steps of original RAM access can be simulated with t+sqrt(N) steps ORAM
Cache
N N N
N N
N
![Page 14: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/14.jpg)
Performance
Let the cache and dummy memory be C, respectivelyCost:1. Scan cache, cache length j at j-th access2. Binary search over N+C items to find pi(i)After C steps, reshuffle (N+C) items, which costs (N+C)log(N+C)
Client maintains the cache
![Page 15: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/15.jpg)
The hierarchical algorithm Each memory cell is modeled as (Vi, Xi)
Vi is the location, Xi is the value
Basic idea Consider the cache memory as a buffer;
extend it to multiple levels of buffers Use oblivious hash function
![Page 16: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/16.jpg)
Hierarchical ORAM Construction Use Hierarchy of Buffers (hash tables) of different
sizes Server: log N “levels” for N items. Level i contains 2i
buckets. Each bucket contains log N slots. Client: PRP key Ki for each level.
2
3
4
1
K2
K3
K4
K1
= data
PRP Keys
O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3), 1996.
![Page 17: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/17.jpg)
initially load data into the lowest buckets For each level
If (V, X) is already found, randomly pick a bucket to access
Otherwise, check the next level bucket
Put (V, X) to the 1st level (may cause overflowing to the lower levels). If the first i levels are full, move all 1 to i
levels to i+1 levels and empty the first i levels
![Page 18: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/18.jpg)
Reading Check the bucket h_i(V)
from each level i Only one real match Remaining are dummy
entries
ClientServer
realdummydummydummydummy
dummy
![Page 19: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/19.jpg)
Writing Chose a new
hash for level i+1, Shuffle
consecutively filled levels.
Write into next unfilled level.
Clear the source levels
Server (before) Server (after)Client
shufflevalues
![Page 20: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/20.jpg)
Hierarchical ORAM Construction (cont’d)
When level i overflows: pick new PRP key for levels i and i+1, then shuffle data in levels i and i+1 together into level i+1 using new key
Algorithm: Oblivious hashing* Aim: Hash keys into buckets. The advisory cannot
get information about the load factor of each bucket and the mapping between keys and buckets.
Shuffle buffers with frequency inversely proportional to their sizes Level i is shuffled after every 2i ops.
*: Ostrovsky, Rafail. "Efficient computation on oblivious RAMs." Proceedings of the twenty-second annual ACM symposium on Theory of computing. ACM, 1990.
![Page 21: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/21.jpg)
Security H_i(V) is never used twice
Once found, moved to the 1st level Level overflow happens, then moved to the
next level with a new hash function
![Page 22: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/22.jpg)
Cost analysis time cost:
Each level cost O(log N), total log N levels Cost per access: O(log2N) shuffling cost: O(Nlog3N) – worst case average O(log3 N)
Storage cost (N log N)
![Page 23: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/23.jpg)
Partition ORAM Subdivide the O-RAM into much smaller partitions the operations performed on the partitions can be
handled much more efficiently. Each partition is a full functional ORAM scheme
Stefanov, Emil, Elaine Shi, and Dawn Song. "Towards practical oblivious RAM.” arXiv preprint arXiv:1106.3652 (2011).
![Page 24: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/24.jpg)
Partition ORAM (cont’d) Position map to track which partition each item
resides in Cache read/updated blocks in a random partition’s
cache slot Evict items in cache slots periodically to its ORAM
partition
Stefanov, Emil, Elaine Shi, and Dawn Song. "Towards practical oblivious RAM.” arXiv preprint arXiv:1106.3652 (2011).
![Page 25: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/25.jpg)
Summary of a number of methods
![Page 26: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/26.jpg)
Main improvements Storage cost Reshuffling Client-server interactions
![Page 27: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/27.jpg)
some recent development http://www.emilstefanov.net/Research/O
bliviousRam/ Oblivious storage
![Page 28: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/28.jpg)
Performance Evaluation
A paper in VLDB16 Oblivious RAM:A Dissection and Experimental
Evaluation
Two machines: client and server Client: 6GB main memory Server: 95GB main memory and 1TB hard disk
Connected by 1Gbps Ethernet Storage engine: MongoDB on the server AES encryption + SHA2 hash provided by CryptoPP
Implement different ORAM schemes in a unified testbed.
![Page 29: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/29.jpg)
End-to-end running time
![Page 30: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/30.jpg)
Cost of encryption/decryption
![Page 31: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/31.jpg)
Communication overhead in bytes
![Page 32: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/32.jpg)
Number of communication rounds
![Page 33: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/33.jpg)
Some code
https://github.com/InitialDLab/SEAL-ORAM
![Page 34: CS7380: Privacy Aware Computing](https://reader036.fdocuments.us/reader036/viewer/2022062722/56813aee550346895da35e99/html5/thumbnails/34.jpg)