Track: Secure Computation
Use the red “Join on YouTube” button above to join the livestream. If you cannot see this button, make sure you are logged in (see the upper-right corner of your screen).
Session Chair: Dan Roche
- Computation on Encrypted Data using Dataflow Authentication
- A Tale of Two Trees: One Writes, and Other Reads. Optimized Oblivious Accesses to Large-Scale Blockchains
- SqORAM: Read-Optimized Sequential Write-Only Oblivious RAM
- Self-Processing Sensor Data via Garbled Encryption
Andreas Fischer (SAP Security Research), Benny Fuhry (SAP Security Research), Florian Kerschbaum (School of Computer Science, University of Waterloo, Canada), and Eric Bodden (Heinz Nixdorf Institute, University of Paderborn, Germany)
Summary:Encrypting data before sending it to the cloud protects it against attackers, but requires the cloud to compute on encrypted data. Trusted modules, such as SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program, which becomes part of the trusted code base (TCB), give attackers ample opportunity to execute arbitrary code inside the enclave.
This code can modify the dataflow of the program and leak secrets via SGX side-channels. Since any larger code base is rife with vulnerabilities, it is not a good idea to outsource entire programs to SGX enclaves. A secure alternative relying solely on cryptography would be fully homomorphic encryption. However, due to its high computational complexity it is unlikely to be adopted in the near future.
Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data.
We introduce the concept of dataflow authentication (DFAuth) to enable such programs.
DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program.
Our technique hence offers protections against the side-channel attacks described above.
We implemented DFAuth using a novel authenticated homomorphic encryption scheme, a Java bytecode-to-bytecode compiler producing fully executable programs, and an SGX enclave running a small and program-independent TCB.
We applied DFAuth to an existing neural network that performs machine learning on sensitive medical data.
The transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in 0.86s.
Duc V. Le (Purdue University), Lizzy Tengana Hurtado (National University of Colombia), Adil Ahmad (Purdue University), Mohsen Minaei (Purdue University), Byoungyoung Lee (Seoul National University), and Aniket Kate (Purdue University)
Summary:This work presents T3, a trusted hardware-secured Bitcoin full client that supports efficient oblivious search/update for Bitcoin SPV clients without sacrificing the privacy of the clients. In this design, we leverage the trusted execution and attestation capabilities of a trusted execution environment (TEE) and the ability to hide access patterns of oblivious random-access machine (ORAM) to protect SPV clients’ requests from potentially malicious nodes. The key novelty ofT3lies in the optimizations introduced to conventional ORAM, tailored for expected SPV client usages. In particular, by making a natural assumption about the access patterns of SPV clients, we are able to propose a two-tree ORAM construction that overcomes the concurrency limitation associated with traditional ORAMs. We have implemented and tested our system using the current BitcoinUnspent Transaction Output (UTXO) Set. Our experiment shows that T3 is feasible to be deployed in practice while providing strong privacy and security guarantees to Bitcoin SPV clients.
Anrin Chakraborti (Stony Brook University) and Radu Sion (Stony Brook University)
Summary:Oblivious RAMs (ORAMs) allow a client to access data from an untrusted storage device without revealing the access patterns. Typically, the ORAM adversary can observe both read and write accesses. Write-only ORAMs target a more practical, multi-snapshot adversary only monitoring client writes -- typical for plausible deniability and censorship-resilient systems.
This allows write-only ORAMs to achieve significantly-better asymptotic performance. However, these apparent gains do not materialize in real deployments primarily due to the random data placement strategies used to break correlations between logical and physical namespaces, a required property for write access privacy. Random access performs poorly on both rotational disks and SSDs (often increasing wear significantly, and interfering with wear-leveling mechanisms).
In this work, we introduce SqORAM, a new locality-preserving write-only ORAM that preserves write access privacy without requiring random data access. Data blocks close to each other in the logical domain land in close proximity on the physical media. Importantly, SqORAM maintains this data locality property over time, significantly increasing read throughput.
A full Linux kernel-level implementation of SqORAM is 100x faster than non locality-preserving solutions for standard workloads and is 60-100% faster than the state-of-the-art for typical file system workloads.
Nathan Manohar (UCLA), Abhishek Jain (John Hopkins University), and Amit Sahai (UCLA)
Summary: We introduce garbled encryption, a relaxation of secret-key multi-input functional encryption (MiFE) where a function key can be used to jointly compute upon only a particular subset of all possible tuples of ciphertexts. We construct garbled encryption for general functionalities based on one-way functions. We show that garbled encryption can be used to build a self-processing private sensor data system where after a one-time trusted setup phase, sensors deployed in the field can periodically broadcast encrypted readings of private data that can be computed upon by anyone holding function keys to learn processed output, without any interaction. Such a system can be used to periodically check, e.g., whether a cluster of servers are in an "alarm" state. We implement our garbled encryption scheme and find that it performs quite well, with function evaluations in the microseconds. The performance of our scheme was tested on a standard commodity laptop.