How to Efficiently Evaluate RAM Programs with Malicious Security [chapter]

Arash Afshar, Zhangxiang Hu, Payman Mohassel, Mike Rosulek
2015 Lecture Notes in Computer Science  
Secure 2-party computation (2PC) is becoming practical for some applications. However, most approaches are limited by the fact that the desired functionality must be represented as a boolean circuit. In response, random-access machines (RAM programs) have recently been investigated as a promising alternative representation. In this work, we present the first practical protocols for evaluating RAM programs with security against malicious adversaries. A useful efficiency measure is to divide the
more » ... ost of malicious-secure evaluation of f by the cost of semi-honest-secure evaluation of f . Our RAM protocols achieve ratios matching the state of the art for circuit-based 2PC. For statistical security 2 −s , our protocol without preprocessing achieves a ratio of s; our online-offline protocol has a pre-processing phase and achieves online ratio ∼ 2s/ log T , where T is the total execution time of the RAM program. To summarize, our solutions show that the "extra overhead" of obtaining malicious security for RAM programs (beyond what is needed for circuits) is minimal and does not grow with the running time of the program. sequence of ORAM instructions using traditional circuit-based 2PC phases. More precisely, they use existing circuit-based MPC to (1) initialize and setup the ORAM, a one-time computation with cost proportional to the memory size, (2) evaluate the next-instruction circuit which outputs "shares" of the RAM program's internal state, the next memory operations (read/write), the location to access, and the data value in case of a write. All of these existing solutions provide security only against semi-honest adversaries. Challenges for malicious-secure RAM evaluation. It is possible to take a semi-honest secure protocol for RAM evaluation (e.g., [GKK + 12]) and adapt it to the malicious setting using standard techniques. Doing so naïvely, however, would result in several major inefficiencies that are avoidable. We point out three significant challenges for efficient, malicious-secure RAM evaluation: 1: Integrity and consistency of state information, by which we mean both the RAM's small internal state and its large memory both of which are passed from one CPU step to the next. A natural approach for handling internal state is to have parties hold secret shares of the state (as in [GKK + 12]), which they provide as input to a secure evaluation of the next-instruction circuit. Using standard techniques for malicious-secure SFE, it would incur significant overhead in the form of oblivious transfers and consistency checks to deal with state information as inputs to the circuit. A natural approach suitable for handling RAM memory is to evaluate an Oblivious RAM that encrypts its memory contents. In this approach, the parties must evaluate a next-instruction circuit that includes both encryption and decryption sub-circuits. Evaluating a block cipher's circuit securely against malicious adversaries is already rather expensive [KsS12] , and this approach essentially asks the parties to do so at every time-step, even when the original RAM's behavior is non-cryptographic. Additional techniques are needed to detect any tampering of data by either participant, such as computing/verifying a MAC of each memory location access inside the circuit or computing a "shared" Merkle-tree on top of the memory in order to check its consistency after each access. All these solutions incur major overhead when state is passed or memory is accessed and are hence prohibitively expensive (see Appendix A for a concrete example). 2: Compatibility with batch execution and input-recovery techniques. In a secure computation, every input bit must be "touched" at some point. Oblivious RAM programs address this with a pre-processing phase that "touches" the entire (large) RAM memory, after which the computation need not "touch" every bit of memory. Since an offline phase is already inevitable for ORAMs, we would like to use such a phase to further increase the efficiency of the online phase of the secure evaluation protocol. In particular, recent techniques of [HKK + 14, LR14] suggest that pre-processing/batching garbled circuits can lead to significant efficiency improvement for secure evaluation of circuits. The fact that the ORAM next-instruction circuits are used at every timestep and are known a priori makes the use of batch execution techniques even more critical. Another recent technique, called input-recovery [Lin13], reduces the number of garbled circuits in cutand-choose by a factor of 3 by only requiring that at least one of the evaluated circuits is correct (as opposed to the majority). This is achieved by running an input-recovery step at the end of computation that recover's the garbler's private input in case he cheats in more than one evaluated circuit. The evaluator then uses the private input to do the computation on his own. A natural applications of this technique in case of RAM programs, would require running the input-recovering step after every timestep which would be highly inefficient (see Appendix A for a concrete example). 3: Run-time dependence. The above issues are common to any computation that involves persistent, secret internal state across several rounds of inputs/outputs (any so-called reactive functionality). RAM programs present an additional challenge, in that only part of memory is accessed at each step, and furthermore these memory locations are determined only at run-time. In particular, it is non-trivial to reconcile run-time data dependence with offline batching optimizations. Our approach: In a RAM computation, both the memory and internal state need to be secret and resist tampering by a malicious adversary. As mentioned above, the obvious solutions to these problem all incur major overhead whenever state is passed from one execution to the next or memory is accessed. We bypass all these overheads and obtain secrecy and tamper-resistance essentially for free. Our insight is that these are properties also shared by wire labels in most garbling schemes -they hide the associated logical value, and, given only one wire label, it is hard to "guess" the corresponding complementary label.
doi:10.1007/978-3-662-46800-5_27 fatcat:2syqr44de5ep7h2a2sjljsdsty