271 research outputs found
What Storage Access Privacy is Achievable with Small Overhead?
Oblivious RAM (ORAM) and private information retrieval (PIR) are classic
cryptographic primitives used to hide the access pattern to data whose storage
has been outsourced to an untrusted server. Unfortunately, both primitives
require considerable overhead compared to plaintext access. For large-scale
storage infrastructure with highly frequent access requests, the degradation in
response time and the exorbitant increase in resource costs incurred by either
ORAM or PIR prevent their usage. In an ideal scenario, a privacy-preserving
storage protocols with small overhead would be implemented for these heavily
trafficked storage systems to avoid negatively impacting either performance
and/or costs. In this work, we study the problem of the best $\mathit{storage\
access\ privacy}\mathit{small\ overhead}\mathit{differential\ privacy\ access}\mathit{oblivious\ access}\epsilon = \Omega(\log n)\epsilon = \Theta(\log n)O(1)\epsilon = \Theta(\log n)O(\log\log n)$
overhead. This construction uses a new oblivious, two-choice hashing scheme
that may be of independent interest.Comment: To appear at PODS'1
Lower Bounds for Oblivious Near-Neighbor Search
We prove an lower bound on the dynamic
cell-probe complexity of statistically
approximate-near-neighbor search () over the -dimensional
Hamming cube. For the natural setting of , our result
implies an lower bound, which is a quadratic
improvement over the highest (non-oblivious) cell-probe lower bound for
. This is the first super-logarithmic
lower bound for against general (non black-box) data structures.
We also show that any oblivious data structure for
decomposable search problems (like ) can be obliviously dynamized
with overhead in update and query time, strengthening a classic
result of Bentley and Saxe (Algorithmica, 1980).Comment: 28 page
Doubly-Affine Extractors, and Their Applications
In this work we challenge the common misconception that information-theoretic (IT) privacy is too impractical to be used in the real-world: we propose to build simple and reusable IT-encryption solutions whose only efficiency penalty (compared to computationally-secure schemes) comes from a large secret key size, which is often a rather minor inconvenience, as storage is cheap. In particular, our solutions are stateless and locally computable at the optimal rate, meaning that honest parties do not maintain state and read only (optimally) small portions of their large keys with every use.
Moreover, we also propose a novel architecture for outsourcing the storage of these long keys to a network of semi-trusted servers, trading the need to store large secrets with the assumption that it is hard to simultaneously compromise too many publicly accessible ad-hoc servers. Our architecture supports everlasting privacy and post-application security of the derived one-time keys, resolving two major limitations of a related model for outsourcing key storage, called bounded storage model.
Both of these results come from nearly optimal constructions of so called doubly-affine extractors: locally-computable, seeded extractors Ext(X,S) which are linear functions of X (for any fixed seed S), and protect against bounded affine leakage on X. This holds unconditionally, even if (a) affine leakage may adaptively depend on the extracted key R = Ext(X,S); and (b) the seed S is only computationally secure. Neither of these properties are possible with general-leakage extractors
CacheShuffle: A Family of Oblivious Shuffles
We consider oblivious two-party protocols where a client outsources N blocks of private data to a server. The client wishes to access the data to perform operations in such a way that the access pattern does not leak information about the data and the operations. In this context, we consider oblivious shuffling with a focus on bandwidth efficient protocols for clients with small local memory. In the shuffling problem, the N outsourced blocks, B_1,...,B_N, are stored on the server according to an initial permutation pi. The client wishes to reshuffle the blocks according to permutation sigma. Oblivious shuffling is a building block in several applications that hide patterns of data access. In this paper, we introduce a generalization of the oblivious shuffling problem, the K-oblivious shuffling problem, and provide bandwidth efficient algorithms for a wide range of client storage requirements. The task of a K-oblivious shuffling algorithm is to shuffle N encrypted blocks that were previously randomly allocated on the server in such a way that an adversarial server learns nothing about either the new allocation of blocks or the block contents. The security guarantee must hold when an adversary has partial information on the initial placement of a subset of K <=N revealed blocks. The notion of oblivious shuffling is obtained for K=N.
We first study the N-oblivious shuffling problem and start by presenting CacheShuffleRoot, that is tailored for clients with O(sqrt{N}) blocks of memory and uses approximately 4N blocks of bandwidth. CacheShuffleRoot is a 4x improvement over the previous best known N-oblivious shuffle for practical sizes of N. We then generalize CacheShuffleRoot to CacheShuffle that can be instantiated for any client memory size S and requires O(N log_S N) blocks of bandwidth. Next, we present K-oblivious shuffling algorithms that require 2N + f(K,S) blocks of bandwidth for all K and a wide range of S. Any extra bandwidth above the 2N lower bound depends solely on K and S. Specifically, for clients with O(K) blocks of memory, we present KCacheShuffleBasic that uses exactly 2N blocks of bandwidth. For clients with memory S <= K, we present KCacheShuffle, that requires 2N + O(K log_S K) blocks of bandwidth. Finally, motivated by applications to ORAMs, we consider the case where the server stores D dummy blocks whose contents are irrelevant in addition to the N real blocks. For this case, we design algorithm KCacheShuffleDummy that shuffles N+D blocks with K revealed blocks using O(K) blocks of client storage and approximately D+2N blocks of bandwidth
Cuckoo Hashing in Cryptography: Optimal Parameters, Robustness and Applications
Cuckoo hashing is a powerful primitive that enables storing items using small space with efficient querying. At a high level, cuckoo hashing maps items into entries storing at most items such that each item is placed into one of randomly chosen entries. Additionally, there is an overflow stash that can store at most items. Many cryptographic primitives rely upon cuckoo hashing to privately embed and query data where it is integral to ensure small failure probability when constructing cuckoo hashing tables as it directly relates to the privacy guarantees.
As our main result, we present a more query-efficient cuckoo hashing construction using more hash functions. For construction failure probability , the query overhead of our scheme is . Our scheme has quadratically smaller query overhead than prior works for any target failure probability . We also prove lower bounds matching our construction. Our improvements come from a new understanding of the locality of cuckoo hashing failures for small sets of items.
We also initiate the study of robust cuckoo hashing where the input set may be chosen with knowledge of the hash functions. We present a cuckoo hashing scheme using more hash functions with query overhead that is robust against poly adversaries. Furthermore, we present lower bounds showing that this construction is tight and that extending previous approaches of large stashes or entries cannot obtain robustness except with query overhead.
As applications of our results, we obtain improved constructions for batch codes and PIR. In particular, we present the most efficient explicit batch code and blackbox reduction from single-query PIR to batch PIR
Lower Bounds for (Batch) PIR with Private Preprocessing
In this paper, we study (batch) private information retrieval with private preprocessing. Private information retrieval (PIR) is the problem where one or more servers hold a database of bits and a client wishes to retrieve the -th bit in the database from the server(s). In PIR with private preprocessing (also known as offline-online PIR), the client is able to compute a private -bit hint in an offline stage that may be leveraged to perform retrievals accessing at most entries. For privacy, the client wishes to hide index from an adversary that has compromised some of the servers. In the batch PIR setting, the client performs queries to retrieve the contents of multiple entries simultaneously.
We present a tight characterization for the trade-offs between hint size and number of accessed entries during queries. For any PIR scheme that enables clients to perform batch retrievals of entries, we prove a lower bound of when . When , we prove that . Our lower bounds hold when the scheme errs with probability at most and against PPT adversaries that only compromise one out of servers for any . Our work also closes the multiplicative logarithmic gap for the single query setting as our lower bound matches known constructions. Our lower bounds hold in the model where each database entry is stored without modification but each entry may be replicated arbitrarily.
Finally, we show connections between PIR and the online matrix-vector (OMV) conjecture from fine-grained complexity. We present barriers for proving lower bounds for two-server PIR schemes in general computational models as they would immediately imply the OMV conjecture
A second-generation high speed civil transport: Stingray
The Stingray is the second-generation High Speed Civil Transport (HSCT) designed for the 21st Century. This aircraft is designed to be economically viable and environmentally sound transportation competitive in markets currently dominated by subsonic aircraft such as the Boeing 747 and upcoming McDonnell Douglas MD-12. With the Stringray coming into service in 2005, a ticket price of 21 percent over current subsonic airlines will cover operational costs with a 10 percent return on investment. The cost per aircraft will be 0.072 per mile per seat. This aircraft has been designed to be a realistic aircraft that can be built within the next ten to fifteen years. There was only one main technological improvement factor used in the design, that being for the engine specific fuel consumption. The Stingray, therefore, does not rely on technology that does not exist. The Stingray will be powered by four mixed flow turbofans that meet both nitrous oxide emissions and FAR 36 Stage 3 noise regulations. It will carry 250 passengers a distance of 5200 nautical miles at a speed of Mach 2.4. The shape of the Stingray, while optimized for supersonic flight, is compatible with all current airline facilities in airports around the world. As the demand for economical, high-speed flight increases, the Stingray will be ready and able to meet those demands
Convo: What does conversational programming need? An exploration of machine learning interface design
Vast improvements in natural language understanding and speech recognition
have paved the way for conversational interaction with computers. While
conversational agents have often been used for short goal-oriented dialog, we
know little about agents for developing computer programs. To explore the
utility of natural language for programming, we conducted a study (=45)
comparing different input methods to a conversational programming system we
developed. Participants completed novice and advanced tasks using voice-based,
text-based, and voice-or-text-based systems. We found that users appreciated
aspects of each system (e.g., voice-input efficiency, text-input precision) and
that novice users were more optimistic about programming using voice-input than
advanced users. Our results show that future conversational programming tools
should be tailored to users' programming experience and allow users to choose
their preferred input mode. To reduce cognitive load, future interfaces can
incorporate visualizations and possess custom natural language understanding
and speech recognition models for programming.Comment: 9 pages, 7 figures, submitted to VL/HCC 2020, for associated user
study video: https://youtu.be/TC5P3OO5ex
Lower Bound Framework for Differentially Private and Oblivious Data Structures
In recent years, there has been significant work in studying data structures that provide privacy for the operations that are executed. These primitives aim to guarantee that observable access patterns to physical memory do not reveal substantial information about the queries and updates executed on the data structure. Multiple recent works, including Larsen and Nielsen [Crypto\u2718], Persiano and Yeo [Eurocrypt\u2719], Hubáček et al. [TCC\u2719] and Komargodski and Lin [Crypto\u2721], have shown that logarithmic overhead is required to support even basic RAM (array) operations for various privacy notions including obliviousness and differential privacy as well as different choices of sizes for RAM blocks and memory cells .
We continue along this line of work and present the first logarithmic lower bounds for differentially private RAMs (DPRAMs) that apply regardless of the sizes of blocks and cells . This is the first logarithmic lower bounds for DPRAMs when blocks are significantly smaller than cells, that is . Furthermore, we present new logarithmic lower bounds for differentially private variants of classical data structure problems including sets, predecessor (successor) and disjoint sets (union-find) for which sub-logarithmic plaintext constructions are known. All our lower bounds extend to the multiple non-colluding servers setting.
We also address an unfortunate issue with this rich line of work where the lower bound techniques are difficult to use and require customization for each new result. To make the techniques more accessible, we generalize our proofs into a framework that reduces proving logarithmic lower bounds to showing that a specific problem satisfies two simple, minimal conditions. We show our framework is easy-to-use as all the lower bounds in our paper utilize the framework and hope our framework will spur more usage of these lower bound techniques
- …