Demanda crediticia por tipo de crédito en el Ecuador, período 2000-2015

Finally, we constructCiOin the (standard) PRAM (PRAM) model. A PRAM consists ofmCPUs running si- multaneously with random access to a shared memory, but without communication with each others. Formally, the class of distributed computation for PRAM, denoted byP_PRAM, is defined as follows:

Definition 6.7(PRAM Computation Class). P_PRAM is a class of distributed computation systems for PRAM withmagents (a.k.a. CPU)1, . . . , mand a shared memoryMwhere

the terminating timet∗ _{is bounded byT;}

the communication between agents are not allowed, i.e.,ct

j←k:=⊥for allt∈[t∗]and for allj, k∈[m]; the memory size|mem|is bounded byS;

for allk∈[m], the state size|stk|and the communication buffer sizes|ak←M|and|aM←k|are bounded by polylog(T);

for allk∈[m], the initial access commands are restricted toa0

k←M:=⊥anda0M←k :=⊥; for allk∈[m], the initial states are restricted tost0

k:=⊥.

Our construction of CiO-PRAM is very similar to that of CiO for mPRAM except thatFbranch now also

takes as input a bit read from the memory with its proof, and outputs a bit to be written to some memory location. Thus, as for CiO-RAM, the evaluator in addition maintains an accumulator for storing the actual memory content. Correspondingly, instead of executing F directly, Fbranch executes another program called Fcheck

which encapsulatesF and the oblivious update mechanism described above.

We next describe in details our scheme CiO = CiO.{Obf,Eval}in the PRAM model. The compilation procedureCiO.Obfcan transform a given computation systemΠ ∈ P_PRAM into an obfuscated computation systemΠe, where Π = (mem0, F), and e Π = ((mem]0,ste 0 ),Fe).

Compilation procedureΠe ←CiO.Obf(1λ,Π): We provide the details of the compilation procedureObf()

which consists of several steps as follows.

Step 1: Generating parameters. The compilation procedure computes the following parameters for the obfus- cated computation system:

KA←PRF.Setup(1λ) (ppAcc,mem,wˆmem,0,storeˆ mem,0)←Acc.Setup(m)

(ppAcc,st,wˆst,0,storeˆ st,0)←Acc.Setup(m)

(pp_Acc,com,wˆcom,0,storeˆ com,0)←Acc.Setup(S)

Step 2: Generating stateful algorithmsFe. Based on the parametersT,pp_Acc,mem,pp_Acc,st,pp_Acc,com,pp_Itr, KA

generated above, as well as programF, we define the programFbin Algorithm12. Fbexecutes internal pro-

gramsFbranch (Algorithm13) orFcombine(Algorithm14) depending on its input. NowFbranch in turn executes

Fcheckdefined in Algorithm7, whereFcheck=AccCompile(F,Acc.OUpdate{ppAcc,mem}).

The compilation procedure then computes an obfuscation of the programFb. That is,Fe←iO.Gen(Fb). Algorithm 12:Fb, which is identical to its mPRAM counterpart (Algorithm8)

// for simplicity, we drop the subscripts from_eain

idcpu←Mandea

out

M←idcpu, and useea

in_and e aout _respectively Input :ste in = (stin_,id

cpu,root node),ea

in

1 ifstin= (halt,·)then

2 OutputReject; 3 else ifroot node6=⊥then 4 Compute(ste out ,_eaout_{) =F} branch(ste in ,_eain_); 5 else 6 Compute(ste out ,ea out_{) =F} combine(ste in ,ea in_); 7 Output(ste out ,ea out_); Algorithm 13:Fbranch

// for simplicity, we drop the subscripts fromea

in

idcpu←Mandea

out

M←idcpu, and useea

in_and e aout _respectively Input :ste in = (stin_,id

cpu,root node),ea

in_{= (b}in_,comin_{, π}in

mem, πstin, πincom)

Data :ppAcc,mem,ppAcc,st,ppAcc,com,ppItr, KA

1 Parseroot nodeas(t,root index, win_st, win_com, vin, σin); 2 LetrA=PRF(KA,(t,root index));

3 Compute(skA,vkA,vkA,rej) =Spl.Setup(1λ;rA);

4 Letmin= (t,root index, win_st, win_com, vin);

5 ifSpl.Verify(vk_A, min, σin) = 0thenoutputReject;

6 ifAcc.VerifyRead(pp_Acc,st, win_st,(idcpu,stin), πstin) = 0thenoutputReject;

7 ifAcc.VerifyRead(pp_Acc,com, win_com,(src(t,idcpu),comin), πcomin ) = 0thenoutputReject;

8 (stout,(comout,locout, bout))←Fcheck(idcpu,stin,(bin,comin, πinmem));

9 Computevout=TItr.Iterate(pp_Itr, vin,(t+ 1,idcpu,stin,comin, winst, wincom));

10 ifstout =Rejectthen

11 OutputReject; 12 else

13 Letr0

A=PRF(KA,(t+ 1,idcpu));

14 Compute(sk0_A,vk0_A,vk0_A,rej) =Spl.Setup(1λ;r_A0 ); 15 Letmout_{= (t+ 1,id}

cpu,stout,comout, vout)andσout=Spl.Sign(sk0A, mout);

16 Letnodeout= (t+ 1,idcpu,stout,comout, vout, σout);

17 Outputste

out

= (stout_,id

cpu,⊥),ea

out _{= (node}out_,locout_{, b}out_);

Step 3: Generating the initial configuration(mem]0,ste

0

). Recall that initial memory accesses are empty:

a0

k←M =⊥,a0M←k =⊥. Based onmem0 andst0k=⊥for allk∈[m], the compilation procedure computes the

Algorithm 14:Fcombine, which is identical to its mPRAM counterpart (Algorithm10)

// for simplicity, we drop the subscripts fromea

in

idcpu←Mandea

out

M←idcpu, and useea

in_and e aout _respectively Input :ste in = (stin_,id cpu,⊥),ea in_{= (node} 1,node2)

Data :ppAcc,st,ppAcc,com,ppItr, KA

1 forζ = 1,2doParsenodeζas(tζ,indexζ, wst,ζ, wcom,ζ, vζ, σζ);

2 ift1 6=t2thenoutputReject;

3 elselett=t1;

4 ift <1thenoutputReject;

5 ifindex1andindex2 are not siblingsthenoutputReject;

6 Setparent indexas the parent ofindex1andindex2;

7 forζ = 1,2do

8 LetrA,ζ=PRF(KA,(tζ,indexζ));

9 Compute(skA,ζ,vkA,ζ,vkA,rej,ζ) =Spl.Setup(1λ;rA,ζ);

10 Letmζ= (tζ,indexζ, wst,ζ, wcom,ζ, vζ);

11 ifSpl.Verify(vk_A,ζ, m_ζ, σ_ζ) = 0thenoutputReject;

12 Computew0_st =Acc.Combine(pp_Acc,st, wst,1, wst,2,parent index);

13 Computew0_com=Acc.Combine(pp_Acc,com, wcom,1, wcom,2,parent index);

14 Computev0 =TItr.Iterate2to1(pp_Itr,(v1, v2),(t,parent index, wst,1, wcom,1, wst,2, wcom,2));

15 Letr_A0 =PRF(K_A,(t,parent index));

16 Compute(sk0_A,vk0_A,vk0_A,rej) =Spl.Setup(1λ;r_A0 ); 17 Letm0 = (t,parent index, w0_st, w_com0 , v0);

18 Computeσ0 _=Spl.Sign(sk0 A, m0);

19 Letparent node= (t,parent index, w0_st, w_com0 , v0, σ0); 20 ifparent index=then

21 Outputste

out

= (stin_,id

cpu,parent node),ea

out _=⊥; 22 else 23 Outputste out = (stin_,id cpu,⊥),ea

For eachj ∈ {1, . . . ,|mem0_{|}, it computes iteratively:}

ˆ

storemem,j←Acc.WriteStore(ppAcc,mem,storeˆ mem,j−1,, j,mem0[j]) πj ←Acc.PrepWrite(ppAcc,mem,storeˆ mem,j−1, j)

ˆ

wj ←Acc.Update(ppAcc,mem,wˆj−1, j, xj, πj)

Setw0

mem:= ˆw|mem0_|, andstore0_mem :=storeˆ _|mem0_|. Setw0

st :=⊥andstore0st :=storeˆ st,0, wherestoreˆ st,0is initialized with value⊥as the initial state in allm

cells. Setw0

com := ⊥andstore0com :=storeˆ com,0, wherestoreˆ com,0is initialized with value⊥as no communi-

cation in allmcells.

Setroot node0 = (t,root index, w0

st, wcom0 , v0, σ0) wheret = 0, root index= ; andw0st,wcom0 ,v0 are

computed above; andσ0_{is computed as follows:}

rA←PRF(KA,0) (sk0_,vk0_{)←Spl.Setup(1}λ_;r

A)

σ0←Spl.Sign(sk0,(0,root index, w_st0, w_com0 , v0)) st0_{= ((st}0

Π,st0Acc), dAcc, b, w0,loc) = ((⊥,⊥),READ,⊥, w0mem,⊥)wherew0memis computed above.

buff0[1] =. . .=buff0[m] = (⊥,⊥)

Now we can define the initial configuration to be ]

mem0 = (store0_mem,store_st0,store0_com,buff0) e

st0 = (root node0,⊥,st0_,com0_).

Final step.Finally, the compilation procedure returns the valueΠ = ((e mem_]

0

,ste

0

),F)e as output.

Evaluation algorithmconf := Eval(Π):e Upon receiving an obfuscated systemΠe, the evaluator parseΠ =e (mem]0,ste

0

), whereste

0

= (root node0,⊥,st0_,com0_{). It sets}

e

st0k= (root node0, k,st0,com0)fork= 1tom.

It then runs Algorithm11and carries out the result

(mem]t ∗ ,{ste t∗ k,ea t∗ M←k}mk=1)

at the halting timet∗. For1≤k≤m, parse:

]

memt∗ = (storet_mem∗ ,store_stt∗,storet_com∗ ,bufft∗) e sttk∗ = (stt ∗ k, k,·) e atM←k∗ = (nodet ∗ k,loct ∗ k, bt ∗ k) For1≤k≤m, let: at∗ M←k = (loct ∗ k, bt ∗ k) atk←M∗ =⊥.

Letmemt∗ _=storet∗

mem. Returnconf = ({stt∗ k, at ∗ M←k, at ∗ k←M}mk=1,memt ∗ ).

Algorithm 15:Eval: Evaluator ofΠe Input : Π = ((e mem] 0 ,{ste 0 k}mk=1),Fe)

1 Letzmax ← dlog(m)ebe the length ofmin binary;

2 for1≤t≤T do

3 Parsemem]t−1 = (storet−mem1 ,store

t−1

st ,storet−com1,buff

t−1_);

4 for1≤k≤mdo

5 Compute(·, π_stt−_,k1)←PrepRead(pp_Acc,st,storet−_st 1, k);

6 Compute(comt−_k 1, πt−_com1_,k)←PrepRead(pp_Acc,com,storet−_com1,src(t−1, k)); 7 Parsebufft−1[k] = (bin_k, π_memin _,k);

8 Let_eain_k ←(bin_k,comt−_k 1, π_memin _,k, π_stt−_,k1, πt−_com1_,k); 9 Evaluate(ste t,zmax k ,ea out k )←Fe(ste t−1 k ,ea in k); // Evaluate Fbranch

10 Parse_eaout_k = (node_kt,loct_k, bt_k);

11 Parsenodet_k= (·,·,st_kt,zmax,comt_k,·,·);

12 Letstoret_st[k]←stt,z_k max, which storesstt,z_k max in thek-th cell instoret_st; 13 Letstoret_com[k]←comt

k, which storescomtkin thek-th cell instoretcom;

14 ifloct_k=⊥ ∀1≤k≤mthen 15 Letstoret_mem←storet−_mem1 ;

16 for1≤k≤mdoletbufft[k] = (⊥,⊥); 17 else

18 for1≤k≤mdo

19 Computebufft[k] = (bin_k, π_memin _,k)←PrepRead(pp_Acc,mem,storet−_mem1 ,loct_k); 20 Letstoret,mem0 ←storet−mem1 ;

21 for1≤k≤mdocomputestoret,kmem ←WriteStore(ppAcc,mem,store

t,k−1

mem ,(loctk, btk));

22 Letstoret_mem←storet,mmem;

23 ifallste t,zmax

k ishaltstatethen

24 Letmem_]t←(storet_mem,storet_st,storet_com,bufft); 25 for1≤k≤mdoletste

t k ←ste

t,zmax

k ;

26 for1≤k≤mdolet_eat_M←k←(nodet_k,loct_k, bt_k); 27 return(mem_]t,{ste t k,ea t M←k}mk=1); 28 forz←zmax −1to0do 29 foreachk∈[m]do

30 Representk−1in a binary strings(k−1)of lengthz_max; 31 Letkzbe the prefixzbits ofs(k−1);

32 Letkzkbbe the binary string thatkzconcatenates bitb; 33 for1≤k≤mdo 34 Let_eain_k ←(nodet_k zk0,node t kzk1); 35 Evaluate(estt,z_k ,_eaout_k )←Fe(ste t,z+1 k ,ea in k); // Evaluate Fcombine 36 Letnodet_k z ←ea out k ;

37 Letmem]t←(storetmem,storetst,storetcom,bufft); // Input to the next iteration

38 Letste t k ←ste

t,0

Efficiency Letmbe the number of CPUs,|F|be the description size of programF,nbe the description size of initial memorymem0_{, computation systemΠproceeds with time and space boundT andS. We first note the}

circuit size ofFbis|F|+O(logm), wherelogmis the amount of hardwired information required in security

proof (similar to AppendixB.3.2). Assume thatiOis a circuit obfuscator with circuit size|iO(C)| ≤ poly|C| for given circuitC. OurCiO-PRAM has following complexity:

Compilation time isO(poly(˜ |F|) +n). Compilation size isO(poly(˜ |F|) +n). Parallel evaluation time isO(T˜ ·poly(|F|)).

Evaluation space isO(m˜ +S), wheremterm is to keep CPU states ofF while branch and combine, andS

term is needed byF intrinsically.

Theorem 6.8. AssumingiOis a secure indistinguishability obfuscator,PRFis a selectively secure puncturable PRF,TItris a secure topological iterator,Accis a secure positional accumulator, andSplis a secure splittable signature scheme;CiOis a secure computation-trace indistinguishability obfuscation with respect toPPRAM.

The proof sketch can be found in AppendixB.4.

7

ConstructingRE

in the RAM Model (RE-RAM)

In this section, we showcase the power of our fully succinctCiO-RAM by constructing the first fully succinct randomized encoding in the RAM model. A randomized encoding of a computation instance(P, x)hides ev- erything except its outputy = P(x)and runtimet∗_{. This requires hiding both the memory content and the}

access pattern of the computation. The formal definition can be found in AppendixA.2. At a high level, our construction is a fairly natural one: We use public-key encryption to hide the memory content (including the input), and use oblivious RAM to hide the access pattern. We then useCiOto obfuscate the compiled compu- tation instance. Namely, ourRE encoding algorithm outputsΠ =e CiO(Π_hide), whereΠ_hideis a computation

instance defined byPhide andxhide. Phide is aPKE andORAMcompiled version of P, and xhide is an en-

crypted version ofx. Namely,Phideoutputs encrypted CPU states and memory contents at each time step, and

usesORAMto compile its memory access (with randomness supplied by PRF for succinctness).

Intuitively, ifPKE andORAMare secure, then the computation should be hidden. However, note that, the decryption keys need to be hardwired inPhide to evaluateP(x). AsCiOdoes not hide anything explicitly, it

is not clear whether we can use the security ofPKE andORAMat all. In particular, it is unlikely that we can use the security ofORAM, since it only hides the access pattern when the CPU state and the memory contents are hidden from the adversary. Indeed, hiding the access pattern is the major technical challenge to prove the security of ourREconstruction. Next we provide an overview of our main ideas.

Basic version:REfor oblivious RAM computation To demonstrate the ideas in our full-fledged construc- tion, we start with the simpler case ofREforobliviousRAM computation where the given RAM computation instanceΠ defined by(P, x) has oblivious access pattern. Namely, we assume that there is a public access functionap(t) that predicts the memory access at each time step t, which is given to the simulator. Thus, we only need to hide the CPU state and the memory content in each step of the computation, without using oblivious RAM to hide the access pattern.

For this simpler case, we can directly use techniques developed by [KLW15] to hide the memory content using public-key encryption. In fact, the construction of machine-hiding encoding for TM in [KLW15] can be modified in a straightforward way to yieldRE for oblivious RAM computation based oniO for circuits. Our CiO-based construction presented below can be viewed as a modularization and simplification of their construction through ourCiOnotion.

Recall that our construction is of the formRE.Encode(P, x) =CiO(Πhide), whereΠhideis defined byPhide

andxhide. Here, we only usePKE to compileP, and denote the compiled program byPPKE instead ofPhide.

instead of outputting the CPU state and the memory content in the clear,PPKE outputs an encrypted version of them. PPKE also expects encrypted CPU states and memory contents as input, and emulates P on the decryption of the input. A key idea here (following [KLW15]) is to encrypt each message (either a CPU state of a memory cell) using different keys, and generate these keys (as well as encryption randomness) using puncturable PRF (PPRF), which allows us to use a standard puncturing argument (extended to work withCiO instead ofiO) to move to a hybrid where semantic security holds for a particular message so that we can “erase” the message.

In the detailed proof, we prove the security by a sequence of hybrids that “erase” the computationbackward in time, which leads to a simulated encoding CiO(ΠSim) where all ciphertexts generated by PSim as well as

inxSim are replaced by encryption of a special dummy symbol. More precisely, PSim simulates the access

pattern using the public access functionap at each time step t < t∗, simply ignores the input and outputs encryption ofdummy(for both CPU state and memory content), and outputsyat time stept=t∗_.

Full solution: RE for general RAM computation We now turn to our full solution, and deal with the main challenge of hiding access pattern. As mentioned, our approach is a natural one, where we use oblivious RAM (ORAM) compiler to hide the access pattern. Recall that anORAMcompiler compiles a RAM program by replacing each memory access by aprobabilistic procedure OACCESS which accesses memory in a way that hides the access pattern. Given a computation instanceΠdefined by(P, x), we first compileP using an

ORAMcompiler with randomness supplied by puncturable PRF. LetPORAMbe the compiled program. We also

initiate theORAMmemory by inserting the input x. LetxORAM be the resulting memory. We then compile

(PORAM, xORAM)usingPKEin the same way as in the basic version above. Namely, we usePPRFto generate

multiple keys, and use each key to encrypt a single message, including the inputxORAM. Denote the resulting

instance by(Phide, xhide). Our randomized encoding of computation instance(P, x)is nowΠ =e CiO(Π_hide),

whereΠhideis defined byPhideandxhide.

Note thatORAMsecurity only holds when the adversary does not learn any content of the computation. Given the fact thatCiOdoes not hide anything explicitly, it is unlikely that we can use the security ofORAMin a black-box way. In a previous seminal work [CHJV15], Canetti et al. provide a novel solution to this problem, and prove the security via a sequence of hybrids that “erase” the computationforwardin time. Unfortunately, their solution incurs dependency on the space complexity of the RAM program, and thus is not fully succinct.

To solve this problem, we rely on the specific ORAMconstruction of [CP13] (referred to asCP-ORAM

hereafter), and develop a puncturing technique to reason about the simulation. As in our basic version, we prove the security by a sequence of hybrids that “erase” the computationbackward in time. At a very high level, to move from thei-th hybrid to the(i−1)-th hybrid, i.e., erase the computation at i-th time step, we “puncture”ORAMat time stepi(i.e., thei-th memory access), which enables us to replace the access pattern by a simulated one at this time step. We can then move to the(i−1)-th hybrid by replacing the access pattern, erasing the memory content and computation, and undoing the “puncturing.”

Puncturing the ORAM access pattern cleanly could be very subtle. Note that the access pattern at time stepiis generated at the latest time stept0_{that access the same memory location as time stepi; This last access}

timet0 can be much smaller than i, so the puncturing may cause global changes in the computation. Thus, moving to the punctured hybrid, i.e., the(i−1)-th hybrid in the previous paragraph, requires a sequence of sub-hybrids that modifies the computation step by step. We therefore further introduce an auxiliary “partially puncturing” technique to achieve this goal.

This completes the overview of our main ideas. In the detailed proof in AppendixB.5, we will elaborate the above ideas.

Section Outline The remaining of this section will be organized as follows. We will first list all required building blocks in Section7.1and then review theCP-ORAMin Section7.2. Next we provide theRE con- struction details in Section7.3, and finally, prove the security in AppendixB.5.

In document "la política monetaria y su incidencia en el crédito bancario en el Ecuador período 2000 2015" (página 53-59)