Results 1  10
of
21
Outsourcing Private RAM Computation
, 2014
"... We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proporti ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proportional to the runtime of the computation on a random access machine (RAM), rather than its potentially much larger circuit size. Furthermore, our solutions are noninteractive and have the structure of reusable garbled RAM programs, addressing an open question of Lu and Ostrovsky (Eurocrypt 2013). We also construct schemes for an augmented variant of the above scenario, where the client can initially outsource a large private and persistent database to the server, and later outsource arbitrary program executions with read/write access to this database. Our solutions are built from nonreusable garbled RAM in conjunction with new types of reusable garbled circuits that are more efficient than prior solutions but only satisfy weaker security. For the basic setting without a persistent database, we can instantiate the required type of reusable garbled circuits from indistinguishability obfuscation or from functional encryption for circuits as a blackbox. For the more complex setting with a persistent database, we can instantiate the required type of reusable garbled circuits using stronger notions of obfuscation. It remains an open problem to instantiate these new types of reusable garbled circuits under weaker assumptions, possibly avoiding obfuscation altogether. We also give several extensions of our results and techniques to achieve: schemes with efficiency proportional to the inputspecific RAM runtime, verifiable outsourced RAM computation, functional encryption for RAMs, and a candidate obfuscator for RAMs. 1
Automating efficient rammodel secure computation
 in IEEE Symposium on Security and Privacy
, 2014
"... Abstract—RAMmodel secure computation addresses the inherent limitations of circuitmodel secure computation considered in almost all previous work. Here, we describe the first automated approach for RAMmodel secure computation in the semihonest model. We define an intermediate representation cal ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
(Show Context)
Abstract—RAMmodel secure computation addresses the inherent limitations of circuitmodel secure computation considered in almost all previous work. Here, we describe the first automated approach for RAMmodel secure computation in the semihonest model. We define an intermediate representation called SCVM and a corresponding type system suited for RAMmodel secure computation. Leveraging compiletime optimizations, our approach achieves orderofmagnitude speedups compared to both circuitmodel secure computation and the stateofart RAMmodel secure computation. I.
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
How to Run Turing Machines on Encrypted Data
"... Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphi ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphic encryption, functional encryption, and garbling schemes work by modeling algorithms as circuits rather than as Turing machines. As a consequence of this modeling, evaluating an algorithm over encrypted data is as slow as the worstcase running time of that algorithm, a dire fact for many tasks. In addition, in settings where an evaluator needs a description of the algorithm itself in some “encoded ” form, the cost of computing and communicating such encoding is as large as the worstcase running time of this algorithm. In this work, we construct cryptographic schemes for computing Turing machines on encrypted data that avoid the worstcase problem. Specifically, we show: – An attributebased encryption scheme for any polynomialtime Turing machine and Random Access Machine (RAM).
Encoding Functions with Constant Online Rate or How to Compress Garbled Circuits Keys
, 2013
"... Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding ˆ f of f in which most of the output can be precomputed and published before seeing the input x. When the input x is available, it remains to publish only a short string ˆx, where the online complexity of computing ˆx is independent of (and is typically much smaller than) the complexity of computing f. Yao’s garbled circuit construction gives rise to such randomized encodings in which the online part ˆx consists of n encryption keys of length κ each, where n = x  and κ is a security parameter. Thus, the online rate ˆx/x  of this encoding is proportional to the security parameter κ. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomialtime computable function f: {0, 1} n → {0, 1} m(n) with online rate of 1+o(1) and with nearly linear online computation. More concretely, the online part ˆx consists of an nbit string and a single encryption key. These constructions can be based on
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
"... Deciding “greaterthan ” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guara ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Deciding “greaterthan ” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guarantees. Twoinput functional encryption is another approach, but requires the full power of obfuscation machinery and is currently not implementable. We construct the first implementable encryption system supporting greaterthan comparisons on encrypted data that provides the “bestpossible ” semantic security. In our scheme there is a public algorithm that given two ciphertexts as input, reveals the order of the corresponding plaintexts and nothing else. Our constructions are inspired by obfuscation techniques, but do not use obfuscation. For example, to compare two 16bit encrypted values (e.g., salaries or age) we only need a 9way multilinear map. More generally, comparing kbit values requires only a (k/2 + 1)way multilinear map. The required degree of multilinearity can be further reduced, but at the cost of increasing ciphertext size. Beyond comparisons, our results give an implementable secretkey multiinput functional encryption scheme for functionalities that can be expressed as (generalized) branching programs of polynomial length and width. Comparisons are a special case of this class, where for kbit inputs the branching program is of length k + 1 and width 4. 1
Oblivious Data Structures
"... We are among the first to systematically investigate (memorytrace) oblivious data structures. We propose a framework for constructing a variety of oblivious data structures, achieving asymptotic performance gains in comparison with generic Oblivious RAM (ORAM). We evaluate the performance of our ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
We are among the first to systematically investigate (memorytrace) oblivious data structures. We propose a framework for constructing a variety of oblivious data structures, achieving asymptotic performance gains in comparison with generic Oblivious RAM (ORAM). We evaluate the performance of our oblivious data structures in terms of their bandwidth overheads, and also when applied to a secure computation setting. Finally, we leverage our new framework to design an efficient oblivious memory allocator which is particularly useful due to the community’s recent efforts in compiling programs targeting ORAMcapable secure processors. 1
Fully succinct garbled RAM
 IACR Cryptology ePrint Archive
, 2015
"... We construct the first fully succinct garbling scheme for RAM programs, assuming the existence of indistinguishability obfuscation for circuits and oneway functions. That is, the size, space requirements, and runtime of the garbled program are the same as those of the input program, up to polyloga ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We construct the first fully succinct garbling scheme for RAM programs, assuming the existence of indistinguishability obfuscation for circuits and oneway functions. That is, the size, space requirements, and runtime of the garbled program are the same as those of the input program, up to polylogarithmic factors and a polynomial in the security parameter. The scheme can be used to construct indistinguishability obfuscators for RAM programs with comparable efficiency, at the price of requiring subexponential security of the underlying primitives. In particular, this opens the door to obfuscated computations that are sublinear in the length of their inputs. The scheme builds on the recent schemes of KoppulaLewkoWaters and CanettiHolmgrenJainVaikuntanathan [STOC 15]. A key technical challenge here is how to combine the fixedprefix technique of KLW, which was developed for deterministic programs, with randomized Oblivious RAM techniques. To overcome that, we develop a method for arguing about the indistinguishability of two obfuscated randomized programs that use correlated randomness. Along the way, we also define and construct
Blackbox garbled RAM
 In Annual Symposium on Foundations of Computer Science, FOCS
, 2015
"... Garbled RAM, introduced by Lu and Ostrovsky, enables the task of garbling a RAM (Random Access Machine) program directly, there by avoiding the inefficient process of first converting it into a circuit. Garbled RAM can be seen as a RAM analogue of Yao’s garbled circuit construction, except that know ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Garbled RAM, introduced by Lu and Ostrovsky, enables the task of garbling a RAM (Random Access Machine) program directly, there by avoiding the inefficient process of first converting it into a circuit. Garbled RAM can be seen as a RAM analogue of Yao’s garbled circuit construction, except that known realizations of Garbled RAM make nonblackbox use of the underlying cryptographic primitives. In this paper we remove this limitation and provide the first blackbox construction of Garbled RAM with polylogarithmic overhead. Our scheme allows for garbling multiple RAM programs being executed on a persistent database and its security is based only on the existence of oneway functions. We also obtain the first secure RAM computation protocol that is both constant round and makes only blackbox use of oneway functions in the OThybrid model.
Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values
"... Twoparty securefunction evaluation (SFE) has become significantly more feasible, even on resourceconstrained devices, because of advances in serveraided computation systems. However, there are still bottlenecks, particularly in the inputvalidation stage of a computation. Moreover, SFE resea ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Twoparty securefunction evaluation (SFE) has become significantly more feasible, even on resourceconstrained devices, because of advances in serveraided computation systems. However, there are still bottlenecks, particularly in the inputvalidation stage of a computation. Moreover, SFE research has not yet devoted sufficient attention to the important problem of retaining state after a computation has been performed so that expensive processing does not have to be repeated if a similar computation is done again. This paper presents PartialGC, an SFE system that allows the reuse of encrypted values generated during a garbledcircuit computation. We show that using PartialGC can reduce computation time by as much as 96 % and bandwidth by as much as 98 % in comparison with previous outsourcing schemes for secure computation. We demonstrate the feasibility of our approach with two sets of experiments, one in which the garbled circuit is evaluated on a mobile device and one in which it is evaluated on a server. We also use PartialGC to build a privacypreserving “friendfinder ” application for Android. The reuse of previous inputs to allow stateful evaluation represents a new way of looking at SFE and further reduces computational barriers.