Results 1  10
of
19
Computationtrace indistinguishability obfuscation and its applications
, 2015
"... We introduce a new, instancebased notion of indistinguishability obfuscation, called computationtrace indistinguishability obfuscation (CiO), for (parallel) RAM computation. CiO only obfuscates a fixed, single computation instance, as opposed to iO which obfuscates a function on all input instance ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
We introduce a new, instancebased notion of indistinguishability obfuscation, called computationtrace indistinguishability obfuscation (CiO), for (parallel) RAM computation. CiO only obfuscates a fixed, single computation instance, as opposed to iO which obfuscates a function on all input instances. Specifically, for Π defined by (P, x) consisting of a (parallel) RAM program P and an input x, the obfuscations of two instances Π and Π ′ are required to be indistinguishable only when the execution of Π and Π ′ generate an identical computation trace; namely, identical sequences of CPU states and memory content. On the other hand, we require the obfuscation to be (i) fully succinct: the runtime of the obfuscator (and thus the size of the obfuscated instance) depends only on the description and input/output size of Π, but is independent of the time and space complexities of Π, and (ii) efficiency preserving: the obfuscated instance is a (parallel) RAM program that preserves parallel/total time and space complexities of Π up to polylogarithmic factors. As our main results, we construct CiO for parallel RAM (PRAM) computation based on iO for circuits and oneway functions, and demonstrate the power of CiO by the following applications. • With digital signatures, our CiO for PRAM immediately implies the first twomessage (publiclyverifiable) delegation scheme for outsourcing PRAM computation, where the delegator’s runtime de
Blackbox garbled RAM
 In Annual Symposium on Foundations of Computer Science, FOCS
, 2015
"... Garbled RAM, introduced by Lu and Ostrovsky, enables the task of garbling a RAM (Random Access Machine) program directly, there by avoiding the inefficient process of first converting it into a circuit. Garbled RAM can be seen as a RAM analogue of Yao’s garbled circuit construction, except that know ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Garbled RAM, introduced by Lu and Ostrovsky, enables the task of garbling a RAM (Random Access Machine) program directly, there by avoiding the inefficient process of first converting it into a circuit. Garbled RAM can be seen as a RAM analogue of Yao’s garbled circuit construction, except that known realizations of Garbled RAM make nonblackbox use of the underlying cryptographic primitives. In this paper we remove this limitation and provide the first blackbox construction of Garbled RAM with polylogarithmic overhead. Our scheme allows for garbling multiple RAM programs being executed on a persistent database and its security is based only on the existence of oneway functions. We also obtain the first secure RAM computation protocol that is both constant round and makes only blackbox use of oneway functions in the OThybrid model.
Protecting obfuscation against arithmetic attacks
, 2014
"... Recently, the work of Garg et al. (FOCS 2013) gave the first candidate generalpurpose obfuscator. This construction is built upon multilinear maps, also called a graded encoding scheme. Several subsequent works have shown that variants of this obfuscator achieves the highest notion of security (VB ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Recently, the work of Garg et al. (FOCS 2013) gave the first candidate generalpurpose obfuscator. This construction is built upon multilinear maps, also called a graded encoding scheme. Several subsequent works have shown that variants of this obfuscator achieves the highest notion of security (VBB security) against “purely algebraic ” attacks, namely attacks that respect the restrictions of the graded encoding scheme. While important, the scope of these works is somewhat limited due to the strong restrictions imposed on the adversary. We propose and analyze another variant of the Garg et al. obfuscator in a setting that imposes fewer restrictions on the adversary that we call the arithmetic setting. This setting captures a broader class of algebraic attacks than considered in previous works. Most notably, it allows for unlimited additions across different “levels ” of the encoding. In this setting, we present two results: • First, in the arithmetic setting where the adversary is limited to creating only multilinear polynomials, we obtain an unconditional proof of VBB security. • Second, in the arithmetic setting where the adversary can create polynomials of arbitrary degree, we prove VBB security under an assumption that is closely related to the Bounded Speedup Hypothesis of Brakerski and Rothblum (TCC 2014). We also give evidence that any unconditional proof of VBB security in this model would entail proving the algebraic analog of P 6 = NP.
Indistinguishability Obfuscation of Iterated Circuits and RAM programs
, 2014
"... A key source of inefficiency in existing obfuscation schemes is that they operate on programs represented as Boolean circuits or (with stronger assumptions and costlier constructs) as Turing machines. We bring the complexity of obfuscation down to the level of RAM programs. That is, assuming inject ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
A key source of inefficiency in existing obfuscation schemes is that they operate on programs represented as Boolean circuits or (with stronger assumptions and costlier constructs) as Turing machines. We bring the complexity of obfuscation down to the level of RAM programs. That is, assuming injective one way functions and indistinguishability obfuscators for all circuits, we construct indistinguishability obfuscators for RAM programs with the following parameters, up to polylogarithmic factors and a multiplicative factor in the security parameter: (a) The space used by the obfuscated program, as well as the initial size of the program itself, are proportional to the maximum space s used by the plaintext program on any input of the given size. (b) On each input, the runtime of the obfuscated program is proportional to s plus the runtime of the plaintext program on that input. The security loss is proportional to the number of potential inputs for the RAM program. Our construction can be plugged into practically any existing use of indistinguishability obfuscation, such as delegation of computation, functional encryption, noninteractive zeroknowledge, and multiparty computation protocols, resulting in significant efficiency gains. It also gives the first succinct and efficient onetime garbled RAM scheme. The size of the garbled RAM is proportional to the maximum
Succinct Garbling Schemes and Applications
, 2014
"... Assuming the existence of iO for P/poly and oneway functions, we show how to succinctly garble boundedspace computations (BSC) M: the size of the garbled program (as well as the time needed to generate the garbling) only depends on the size and space (including the input and output) complexity of ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Assuming the existence of iO for P/poly and oneway functions, we show how to succinctly garble boundedspace computations (BSC) M: the size of the garbled program (as well as the time needed to generate the garbling) only depends on the size and space (including the input and output) complexity of M, but not its running time. The key conceptual insight behind this construction is a method for using iO to “compress ” a computation that can be performed piecemeal, without revealing anything about it. As corollaries of our succinct garbling scheme, we demonstrate the following: • functional encryption for BSC from iO for P/poly and oneway functions; • reusable succinct garbling schemes for BSC from iO for P/poly and oneway functions; • succinct iO for BSC from subexponentiallysecure iO for P/poly and subexponentially secure oneway functions; • (Perfect NIZK) SNARGS for bounded space and witness NP from subexponentiallysecure iO for P/poly and subexponentiallysecure oneway functions. Previously such primitives were only know to exists based on “knowledgebased ” assumptions (such as SNARKs and/or differinginput obfuscation). We finally demonstrate the first (nonsuccinct) iO for RAM programs with bounded input and output lengths, that has polylogarithmic overhead, based on the existence of subexponentiallysecure iO for P/poly and subexponentiallysecure oneway functions.
Succinct Randomized Encodings and their Applications∗
, 2014
"... A randomized encoding allows to represent a “complex ” function f(x) by a “simpler ” randomized function f̂(x; r) whose output distribution encodes f(x), while revealing nothing else regarding x. Existing randomized encodings, geared mostly to allow encoding with low parallel complexity, have prove ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
A randomized encoding allows to represent a “complex ” function f(x) by a “simpler ” randomized function f̂(x; r) whose output distribution encodes f(x), while revealing nothing else regarding x. Existing randomized encodings, geared mostly to allow encoding with low parallel complexity, have proven instrumental in various strong applications such as multiparty computation and parallel cryptography. This work focuses on another natural complexity measure: the time required to encode. We construct succinct randomized encodings where a computation given by a (Turing or randomaccess) machine M, and input x, requiring time t and space s, can be encoded roughly in time poly(x, log t, s), thus inducing significant savings in time when s t. The scheme guarantees computational inputprivacy and is based on indistinguishability obfuscation for a relatively simple circuit class, which can in turn be based on a polynomial version of the subgroup elimination assumption on multilinear graded encodings. We then invoke succinct randomized encodings to obtain several strong applications, including: • Indistinguishability obfuscation for uniform (Turing or randomaccess) machines, where the obfuscated machine iO(M) computes the same function as M for inputs x of apriorifixed maximal size n, and is computed in time poly(n, log t, s).
Delegating RAM Computations with Adaptive Soundness and Privacy
, 2015
"... We consider the problem of delegating RAM computations over persistent databases: A user wishes to delegate a sequence of computations over a database to a server, where each compuation may read and modify the database and the modifications persist between computations. For the efficiency of the se ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of delegating RAM computations over persistent databases: A user wishes to delegate a sequence of computations over a database to a server, where each compuation may read and modify the database and the modifications persist between computations. For the efficiency of the server, it is important that computations are modeled as RAM programs, for their runtime may be sublinear in the size of the database. Two security needs arise in this context: Ensuring Intergrity, by designing means for the server to compute short proofs that allows the user to efficiently verify the correctness of the server computation, and privacy, providing means for the user to hide his private databases and programs from a malicious server. In this work, we aim to address both security needs, especially in the stringent, adaptive, setting, where the sequence of RAM computations are (potentially) chosen adaptively by a malicious server depending on the messages from an honest user. To this end, we construct the first RAM delegation scheme achieving both adaptive
A Framework for Outsourcing of Secure Computation (Draft Version)
"... Abstract We study the problem of how to efficiently outsource a sensitive computation on secret inputs to a number of untrusted workers, under the assumption that at least one worker is honest. In our setting there is a number of clients C1,..., Cn with inputs x1,..., xn. The clients want to delegat ..."
Abstract
 Add to MetaCart
Abstract We study the problem of how to efficiently outsource a sensitive computation on secret inputs to a number of untrusted workers, under the assumption that at least one worker is honest. In our setting there is a number of clients C1,..., Cn with inputs x1,..., xn. The clients want to delegate a secure computation of f(x1,..., xn) to a set of untrusted workers W1,...,Wm. We want do so in such a way that as long at there is at least one honest worker (and everyone else might be actively corrupted) the following holds 1) the privacy of the inputs is preserved 2) the output of the computation is correct (in particular workers cannot change the inputs of honest clients). We propose a solution where the clients ’ work is minimal and the interaction pattern simple (one message to upload inputs, one to receive results), while at the same time reducing the overhead for the workers to a minimum. Our solution is generic and can be instantiated with any underlying reactive MPC protocol where linear operations are “for free”. In contrast previous solutions were less generic and could only be instantiated for specific numbers of clients/workers. 1
Oblivious Parallel RAM and Applications
, 2015
"... We initiate the study of cryptography for parallel RAM (PRAM) programs. The PRAM model captures modern multicore architectures and cluster computing models, where several processors execute in parallel and make accesses to shared memory, and provides the “best of both ” circuit and RAM models, supp ..."
Abstract
 Add to MetaCart
We initiate the study of cryptography for parallel RAM (PRAM) programs. The PRAM model captures modern multicore architectures and cluster computing models, where several processors execute in parallel and make accesses to shared memory, and provides the “best of both ” circuit and RAM models, supporting both cheap random access and parallelism. We propose and attain the notion of Oblivious PRAM. We present a compiler taking any PRAM into one whose distribution of memory accesses is statistically independent of the data (with negligible error), while only incurring a polylogarithmic slowdown (in both total and parallel complexity). We discuss applications of such a compiler, building upon recent advances relying on Oblivious (sequential) RAM (Goldreich Ostrovsky JACM’12). In particular, we demonstrate the construction of a garbled PRAM compiler based on an OPRAM compiler and secure identitybased encryption.
Oblivious Network RAM and Leveraging Parallelism to Achieve Obliviousness
"... Abstract. Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted CPU to securely access untrusted memory, such that the access patterns reveal nothing about sensitive data. ORAM is known to have broad applications in secure processor design and secure multiparty computation for big ..."
Abstract
 Add to MetaCart
Abstract. Oblivious RAM (ORAM) is a cryptographic primitive that allows a trusted CPU to securely access untrusted memory, such that the access patterns reveal nothing about sensitive data. ORAM is known to have broad applications in secure processor design and secure multiparty computation for big data. Unfortunately, due to a logarithmic lower bound by Goldreich and Ostrovsky (Journal of the ACM, ’96), ORAM is bound to incur a moderate cost in practice. In particular, with the latest developments in ORAM constructions, we are quickly approaching this limit, and the room for performance improvement is small. In this paper, we consider new models of computation in which the cost of obliviousness can be fundamentally reduced in comparison with the standard ORAM model. We propose the Oblivious Network RAM model of computation, where a CPU communicates with multiple memory banks, such that the adversary observes only which bank the CPU is communicating with, but not the address offset within each memory bank. In other words, obliviousness within each bank comes for free—either because the architecture prevents a malicious party from