Embed Size (px)
Citation preview
ObliVM: A Programming Framework for Secure
Computation
Chang LiuJoint work with Xiao Shaun Wang, Kartik Nayak
Yan Huang, and Elaine Shi
Dating: Genetically
2
Good match?
Not leaking their sensitive genomic data
to anyone else!
Problem AbstractionBobAlice
Holds
Holds
Public
function f
z = f(x, y)
Reveal zbut nothing more!
Security requirement:
3
Generic protocols
Customized protocols
Low design cost,
Flexible
Efficient, requires Expertise
Nina TaftDistinguished
Scientist
5 researchers, 4 months to develop an (efficient) oblivious matrix factorization algorithm over secure computation
Can generic secure computation be
practical?
Challenge 1: Efficiency: time & space
Challenge 2: Programmability: for non-expert programmers
ObliVM: Achieve the Best of Both Worlds
Programs by non-specialists achieve the performance of customized designs.
Challenge 1: Efficiency: time & space
Challenge 2: Programmability: for non-expert programmers
AND XOR
OR
… … …
Cryptographer’s favorite model
Programmer’s favorite model
def binSearch(a, x): lo, hi = 0, len(a) res = -1 while lo <= hi: mid = (lo+hi)//2 midval = a[mid] if midval < x: lo = mid+1 elif midval > x: hi = mid else: res = mid return res
Accessing a secret index
may leak information!
How secret indexes leak information?
Breastcancer
Liverproblem
Kidneyproblem
AND XOR
OR
… … …
𝑓 (𝑥 , 𝑦)
A naive solution (in generic approaches) is to linear scan through the entire memory
for each memory access.Extremely Slow!
Garbled Circuit
Crypto Tool: Oblivious RAM
• Hide access patterns• Redundancy• Data Shuffling
• Poly-logarithmic cost per access
𝑖
𝑂 (𝑝𝑜𝑙𝑦 log 𝑁 )
[Shi, et al., 2011] Oblivious RAM with O((logN)3) Worst-Case Cost. In ASIACRYPT 2011.[Stefanov et al., 2013] Path ORAM: An extremely simple oblivious RAM protocol. In CCS 2013 [Wang, et al., 2015] Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound
ORAM
Scheme
Read M[i]
[𝑖]
]
Oblivious Program
Source Program
Oblivious Program
CircuitEasyChallenge!
1Program-specific
optimizations through static
analysis
2Programming
abstractions for oblivious
computation
[LHS-CSF’13][LHSKH-Oakland’14]
[LHMHTS-ASPLOS’15]
[LWNHS-Oakland’15]
ObliVM: A Programming Framework for Oblivious Computation
Example: FindMax
int max(public int n, secret int h[]) {
public int i = 0;secret int m = 0;while (i < n) {
if (h[i] > m) then m = h[i];i++;
}return m;
} h[] need not be in ORAM. Encryption suffices.
for(int i=1; i<n; ++i) { int bestj = -1; for(int j=0; j<n; ++j)
if(!vis[j] && (bestdis < 0 || dis[j] < bestdis))bestdis = dis[j];
vis[bestj] = 1; for(int j=0; j<n; ++j)
if(!vis[j] && (bestdis + e[bestj][j] < dis[j]))
dis[j] = bestdis + e[bestj][j];}
Dynamic Memory Accesses: Main loop in Dijkstra
Our compiler automates this analysis
dis[]: Not in ORAMvis[], e[][]: Inside ORAM
Do we need to place all variables/data inside one ORAM?
Key observation:
Accesses that do not depend on secret inputs need not be hidden
A memory-trace obliviousness type system ensures the security of the target program.
[LHS-CSF’13, LHSKH-Oakland’14, LHMHTS-ASPLOS’15]
[LHS-CSF ‘13] Memory Trace Oblivious Program Execution. In CSF 2013.[LHSKH-Oakland ‘14] Automating RAM-model Secure Computation. In Oakland 2014 [LHMHTS-ASPLOS ‘15] GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation. In ASPLOS 2015
1Program-specific
optimizations through static
analysis
2Programming
abstractions for oblivious
computation
[LHS-CSF’13][LHSKH-Oakland’14]
[LHTHMS-ASPLOS’15]
[LWNHS-Oakland’15]
ObliVM: A Programming Framework for Oblivious Computation
Analogy to Parallel Computation
Approach 1: Limited opportunities for compile-time optimizations.
Approach 2: MapReduce is a parallel programming abstraction.
A program written in C Compile
A program written in
MapReduce
Compile
Oblivious representationusing ORAM
Oblivious representationusing ORAM (generic)
and oblivious algorithms(problem specific, but efficient)
A program written in ObliVM
abstractions
Programming Abstractions for Oblivious Computation
Approach 1: Limited opportunities for compile-time optimizations.
A program written in C Compile
Compile
Approach 2: We provide oblivious programming abstractions.
[NWIWTS-Oakland15] [WLNHS-Oakland15]
Programming abstractions
Oblivious algorithms
Interactions between PL and algorithms
Find common patterns, generalize into abstractions
The expected
Programming abstractions
Oblivious algorithms
Interactions between PL and algorithms
Find common patterns, generalize into abstractions
New insights lead to new algorithms
The unexpected
The expected
Programming abstractions
Oblivious algorithms
Interactions between PL and algorithms
Find common patterns, generalize into abstractions
New insights lead to new algorithms
The unexpected
The expected
Interactions between PL and algorithms allowed us to solve open problems in oblivious algorithms design!
• Depth-First Search• Shortest path• Minimum spanning tree
Block 1 ×n
Block 2 ×m
Block 3 ×n
Loop Coalescing
Gives oblivious Dijkstra and MST for sparse graphs
Loop Coalescing
Gives oblivious Dijkstra and MST for sparse graphs
Hand-crafting vs. Automated Compilation
Matrix Factorization
5 researchers 4 months
2013 ObliVM Today
5 researchers 3 weeks
[NIWJTB-CCS’13]
[NWIJBT-IEEE S&P ’13]
1 graduate student-day
10x-20x better performanceRidge Regression
Same Tasks
[LWNHS-IEEE S&P ’15] (This work)
Nina TaftDistinguished
Scientist
Backend
PL
Circuit ORAM
[HKFV12]
Dijkstra MST K-Means Heap Map/Set BSearch AMS CountMin Sketch Sketch
106
105
104
103
100
10
1
Sp
eed
up
9x105x
7x
2500x
51x
9x105x
7x
2500x
51x
5900x
7x
13x
65x
1.6x104x
7x
5.5x
407x
8200x
7x
5.5x
212x
2.6x104x
7x
10x
366x
1.7x106x
7x2x
1.2x105x
7400x
7x2x
530x
Data size: 768KB 768KB 2MB 8GB 8GB 1GB 10GB 0.31GB
Speedup for More ApplicationsEarlier non-tree-based ORAMs perform
worse than linear scans of memory
ObliVM: Binary Search on 1GB Database
ObliVM Today:
7.3 secs/query
2 EC2 virtual cores, 60GB memory, 10MBps bandwidth
Reference point: ~24 hours in 2012
[HFKV-CCS’12]
[HFKV-CCS’12] Holzer et al. Secure Two-Party Computations in ANSI C. In CCS ‘12
ObliVM: Binary Search on 1GB Database
With cryptographic extensions (projected)
0.3 secs/query
2 EC2 virtual cores, 60GB memory, 300MBps bandwidth
Reference point: ~24 hours in 2012
[HFKV-CCS’12]
[HFKV-CCS’12] Holzer et al. Secure Two-Party Computations in ANSI C. In CCS ‘12
Overhead w.r.t. Insecure Baseline
130× slowdown
1.7×104× slowdown
9.3×106× slowdown
DistributedGWAS
K-Means
HammingDistance
Overhead w.r.t. Insecure Baseline
130× slowdown
1.7×104× slowdown
9.3×106× slowdown
DistributedGWAS
K-Means
HammingDistance
Opportunities for further optimizations:
• Hardware acceleration
• Parallelism
• Faster cryptography
…
ObliVM AdoptionPrivacy-preserving data mining andrecommendation system
Computational biology, privacy-preserving microbiome analysis
Privacy-preserving Software-Defined Networking
Cryptographic MIPS processor
www.oblivm.com
iDash secure genome analysis competition(Won an “HLI Award for Secure Multiparty Computing”)
Secure Multiparty Computation
Program Obfuscation(DARPA Safeware)
Fully Homomorphic Encryption
Functional Encryption
Verifiable Computation
ObliVM:
Compiling Programs into Circuits
Future Work: From ObliVM to A Unified Programming Framework for Modern
Cryptography
