A language for probabilistically oblivious computation

Darais, David; Sweet, Ian; Liu, Chang; Hicks, Michael

doi:10.1145/3371118

Cited by 16 publications

(16 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In concurrent work with ours, Barthe et al [11] and Darais et al [22] have introduced specialized mechanisms to prove security of ORAMs. Barthe et al [11] introduced a probabilistic separation logic (PSL) that (among other things) can be used to reason about the security of ORAMs.…”

Section: Verification Of Oramsmentioning

confidence: 97%

“…Unlike QHPs, PSL does not permit quantitative reasoning about probabilities of events and also does not (yet) support machine-checked reasoning. Darais et al [22] introduce a type system that enforces obliviousness; they use this type system to implement a tree-based ORAM. Note that QHPs can express specifications other than obliviousness, and obliviousness need not necessarily be a QHP.…”

Section: Verification Of Oramsmentioning

confidence: 99%

See 1 more Smart Citation

Verification of Quantitative Hyperproperties Using Trace Enumeration Relations

Sahai

Subramanyan

Sinha

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Many important cryptographic primitives offer probabilistic guarantees of security that can be specified as quantitative hyperproperties; these are specifications that stipulate the existence of a certain number of traces in the system satisfying certain constraints. Verification of such hyperproperties is extremely challenging because they involve simultaneous reasoning about an unbounded number of different traces. In this paper, we introduce a technique for verifying quantitative hyperproperties based on the notion of trace enumeration relations. These relations allow us to reduce the problem of trace-counting into one of modelcounting of formulas in first-order logic. We also introduce a set of inference rules for machine-checked reasoning about the number of satisfying solutions to first-order formulas (aka model counting). Putting these two components together enables semi-automated verification of quantitative hyperproperties on infinite-state systems. We use our methodology to prove confidentiality of access patterns in Path ORAMs of unbounded size, soundness of a simple interactive zero-knowledge proof protocol as well as other applications of quantitative hyperproperties studied in past work.

show abstract

Section: Verification Of Oramsmentioning

confidence: 97%

Section: Verification Of Oramsmentioning

confidence: 99%

Verification of Quantitative Hyperproperties Using Trace Enumeration Relations

Sahai

Subramanyan

Sinha

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This means programmers can implement floating point directly, without invoking bitwise libraries [8]. Second, random number generation, as many randomized data oblivious codes require private random numbers (e.g., [64], [65], [66], [23], [21]). Third, a cmov-style ternary/conditional move operator with a Safe predicate for implementing conditionals, and branches/jumps with Unsafe operands to reduce code footprint.…”

Section: B Concrete Oisa Specificationmentioning

confidence: 99%

“…Beyond data oblivious code written for today's ISAs, there is a rich literature to improve algorithm/data structure [47], [79], [78], [77], [80], [81], [64], [82], [83], [66] performance in the software circuit abstraction. Additionally, there is rich literature to write (e.g., [65], [84]) and compile (e.g., [64], [85], [82]) programs to software circuits. An important observation is that, although many of these works target cryptographic backends such as garbled circuits, their underlying programming abstraction (software circuits) is very similar to the data oblivious abstraction.…”

Section: Related Workmentioning

confidence: 99%

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Hsiung²,

El'Hajj³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Blocking microarchitectural (digital) side channels is one of the most pressing challenges in hardware security today. Recently, there has been a surge of effort that attempts to block these leakages by writing programs data obliviously. In this model, programs are written to avoid placing sensitive data-dependent pressure on shared resources. Despite recent efforts, however, running data oblivious programs on modern machines today is insecure and low performance. First, writing programs obliviously assumes certain instructions in today's ISAs will not leak privacy, whereas today's ISAs and hardware provide no such guarantees. Second, writing programs to avoid data-dependent behavior is inherently high performance overhead. This paper tackles both the security and performance aspects of this problem by proposing a Data Oblivious ISA extension (OISA). On the security side, we present ISA design principles to block microarchitectural side channels, and embody these ideas in a concrete ISA capable of safely executing existing data oblivious programs. On the performance side, we design the OISA with support for efficient memory oblivious computation, and with safety features that allow modern hardware optimizations, e.g., out-of-order speculative execution, to remain enabled in the common case. We provide a complete hardware prototype of our ideas, built on top of the RISC-V out-of-order, speculative BOOM processor, and prove that the OISA can provide the advertised security through a formal analysis of an abstract BOOM-style machine. We evaluate area overhead of hardware mechanisms needed to support our prototype, and provide performance experiments showing how the OISA speeds up a variety of existing data oblivious codes (including "constant time" cryptography and memory oblivious data structures), in addition to improving their security and portability.

show abstract

“…Previous systems, however, have also touched on independence. Darais et al [13] define a type and effect system for proving properties of probabilistic computations. Their effect system is based on a new notion of probabilistic region, which they use to track probabilistic dependencies.…”

Section: Related Workmentioning

confidence: 99%

A probabilistic separation logic

Barthe

Hsu

Liao

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Probabilistic independence is a fundamental tool for reasoning about randomized programs. Independence describes the result of drawing a fresh random sample-a basic operation in all probabilistic languages-and greatly simplifies formal reasoning about collections of random samples. Nevertheless, existing verification methods handle independence poorly, if at all.In this paper, we propose a probabilistic separation logic where separation models probabilistic independence. We first give a new, probabilistic model of the logic of bunched implications (BI), the logic of assertions in separation logic. Then, we introduce a program logic based on these assertions and prove soundness of the proof system. We demonstrate our logic by verifying security properties of several cryptographic constructions, including simple ORAM, secure multi-party addition, oblivious transfer, and private information retrieval. Our logic is able to state and verify two different forms of the standard cryptographic security property, while proofs work in terms of high-level properties like independence and uniformity. ACM Reference Format:

show abstract

A language for probabilistically oblivious computation

Cited by 16 publications

References 72 publications

Verification of Quantitative Hyperproperties Using Trace Enumeration Relations

Verification of Quantitative Hyperproperties Using Trace Enumeration Relations

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

A probabilistic separation logic

Contact Info

Product

Resources

About