RE with Persistent Database - Cryptography for Parallel RAM from Indistinguishability Obf

As in the ordinary setting without persistent database, after obtainingCiOwhich forces the obfuscated program to be executed as intended, we can extend it toREso as to provide input and program privacy. In the persistent

Algorithm 20:Fb_sid0 inCiO-PRAM with persistent database Input :ste

= (sid,stin_,_id

cpu,root node), . . .

Data :. . . , KT

1 Parseroot nodeas before// extract t from root node 2 ifsidis correctand(sid, t)is the beginning of the sessionsidthen

3 Computersid−1 =PRF(KT,sid)and(sksid−1,vksid−1,vksid−1,rej) =Spl.Setup(1λ;rsid−1);

4 ifSpl.Verify(vk_sid−1,(sid−1,stin, vin, winst, wincom), σin) = 0thenoutputReject;

5 Setstin=Init;

6 . . .// Branch and Combine of CiO-PRAM 7 ifall CPUs enterhaltfor terminationthen

8 Setstout _as_cpu_{1’s state;}

9 // Let cpu1’s final state be the initial state of the next session 10 Computesrsid =PRF(KT,sid)and(sksid,vksid,vksid,rej) =Spl.Setup(1λ;rsid);

11 Computeσout =Spl.Sign(sksid,(sid,stout, vout, wstout, woutcom));

12 Generateroot node= (t,Root, wout_st , w_comout, vout, σout); 13 Outputste

out

= (sid,stout_,_{root node}₎_;

database setting, we wish to protect the privacy of the entire sequence of inputs and programs, while allowing the output of each program in the sequence to be learnt by the decoder in the clear.

9.2.1 Definition

Definition 9.2(RE with Persistent Database). A randomized encoding schemeRE with persistent database consists of algorithmsRE=RE.{DBInit,Encode,Decode}described below.

RE.DBEncode(mem0,0_,₁λ₎_→

]

mem0,0: The database compilation algorithmDBEncodeis a probabilistic algorithm which takes as input the security parameter1λ_{and a database}_mem0,0_{. It outputs a compiled}

databasemem_]0,0.

RE.Encode(Psid, xsid,1λ)→ ENCsid: The encoding algorithmEncodeis a probabilistic algorithm which

takes as input the security parameter1λ_{, the description of a RAM program}_P

sid with time boundT and

space boundS, and an inputxsid. It outputs an encodingENCsid.

RE.Decode(ENCsid,mem]sid−1,0,1λ, T, S)→(ysid,mem]sid,0): The decoding algorithmDecodeis a deter-

ministic algorithm which takes as input the security parameter1λ_{, time bound}_T _{and space bound}_S_{, an} encodingENC_sid, and a compiled databasemem_]sid−1,0. It outputsysid =Psid(xsid)or⊥, and a compiled

databasemem]sid,0.

Correctness A randomized encoding schemeREis said to becorrectif

Pr[mem]0,0 ← RE.DBEncode(mem0,0,1λ);ENCsid ← RE.Encode(Psid, xsid,1λ);

(ysid,mem]sid,0)← RE.Decode(ENCsid,mem]sid−1,0,1λ, T, S) : ysid=Psid(xsid)∀sid,1≤sid≤l] = 1.

Security A randomized encoding scheme RE with persistent database is said to be hiding if for all PPT adversaryA, timel, databasemem0,0_{, program}_P

sid with time boundT and space boundS, input valuexsid,

simulatorSsuch that

|Pr[mem]0,0 ← S(1|mem 0,0_|

,1λ_);

ENCsid ← S(1|Psid|,1|xsid|, t∗sid, ysid,1λ, T, S) :

A(1λ,mem]0,0,{ENCsid}lsid=1) = 1]

−Pr[mem]0,0 ← RE.DBEncode(mem0,0,1λ);ENCsid← RE.Encode(Psid, xsid,1λ) :

A(1λ,mem]0,0,{ENCsid}lsid=1) = 1]| ≤negl(λ).

Efficiency We requireDBEncodeandEncoderuns in timeO(˜ |mem0,0_|₎ _and_O(poly(_˜ _|_P

sid|) +|xsid|), and

efficientDecoderuns in timeO(t˜ ∗

sid).

9.2.2 ConstructingREwith Persistent Database

Construction The construction ofRE withPDBrelies on the same technique to buildRE fromCiOwith- out PDB. As in Section 7, we use public-key encryption to hide the CPU state and the memory content, use oblivious RAM or PRAM to hide the access pattern, and finally useCiO-RAM or PRAM withPDB to obfuscate the compiled programs. TheREwithPDBconstruction works as follows.

RE.DBEncode: It first compiles databasemem0,0_to₍

]

mem0o,0,ste

0,0

o )byORAMorOPRAMcompiler, then

generates encryption of(mem]0e,0,ste

0,0

e )byPKE. Finally, it outputs(mem]

0,0

c ,ste

0,0

c )byDBCompileofCiO

withPDB.

RE.Encode: Unlike in ordinary RE where the input is written to the memory, we embed both the pro- gramPsid and the inputxsid into a stateful functionFsid. It compiles the stateful functionFsid toFsid,oby ORAMorOPRAMcompiler, and then generates Fsid,ewhich includes decryption and encryption, except

that att = 0, Fsid,e accepts the plaintext output generated by the previous program without performing

decryption. We note that now the last write time used for decryption is in the formatlw= (sid, t). Finally, it outputsENCsid=Obf(Fsid,e)byObfofCiO.

RE.Decode: It executesEval((mem]sidc −1,0,ste

sid−1,0

c ),ENCsid).

Security Sketch As in the security proof ofREwithoutPDB, we wish to prove that ifPKE andORAMare secure, then the computation should be hidden. As before, we go through the hybrid argument backward in time, i.e., from the termination time of the last program, to the beginning of the last program, then the second last program, etc. Within a single program, the technique to move backward is identical to that in the setting withoutPDB. The only difference is at the beginning of a program. Instead of a ciphertext state, the initial state is hardwired, since the output of the previous program is a plaintext. This is possible since all intermediate outputs are given to the simulator.

In document Cryptography for Parallel RAM from Indistinguishability Obfuscation (Page 64-66)