ADVERTISING AGGREGATIONARCHITECTURE

Size: px

Start display at page:

Download "ADVERTISING AGGREGATIONARCHITECTURE"

Randolf Lynch
5 years ago
Views:

SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION:

1 SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED PSA ACM NETWORK CCS WPES AND DISTRIBUTED WORKSHOP SYSTEMS SECURITY (NDSS) SYMPOSIUM 2018 Daniela Becker Robert Bosch LLC RTC North America Pittsburgh, USA Jorge Guajardo Robert Bosch LLC RTC North America Pittsburgh, USA Karl-Heinz Zimmermann Hamburg University of Technology Hamburg, Germany

2 Outline 1. Introduction: Private Stream Aggregation (PSA) Problem Statement, Previous Work - Shi et al. s PSA Scheme (NDSS 2011). 2. (Augmented) Learning With Errors Theory Background. 3. Lattice-Based PSA: LaPS General Construction. LaPS instantiation & Experimental Results. 4. Summary & Outlook 2 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018

3 Private Stream Aggregation (PSA) Problem Distributed set of users ( U i ) want to compute sum of their sensitive data ( d i ) No information must be leaked about individual user U i Untrusted aggregator (A), i.e. honest-but-curious U 1 U 2 d 1 d 2 d 3?? U 3? A?? 3 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

4 Private Stream Aggregation (PSA) Solution Apply differential privacy mechanism M to each d i create noisy version x i Send encrypted x i to aggregator A A aggregates ciphertexts and decrypts learns nothing but noisy sum x agg U 1 d 1 M x 1 Enc c 1 U 2 d 2 M x 2 Enc c 2 A Agg c agg Dec = c 1 + c 2 + c 3 x agg U 3 d 3 M x 3 Enc c 3 4 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

5 Private Stream Aggregation (PSA) Security & Privacy Notions Aggregator obliviousness A learns nothing but noisy sum x agg differentially private U 1 d 1 NoisyEnc 1 c 1 U 2 d 2 NoisyEnc 2 c 2 A AggrDec x agg U 3 d 3 NoisyEnc 3 c 3 5 Research and Technology Center CR/RTC3-NA 02/19/2018

6 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N x i d i + r i c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 6 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

7 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i r i Geom NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec Create noisy version cof agg c 1 c N data x c i agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N x i d i + r i c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 7 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

8 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom x i d i + r i Desired result x agg in the exponent c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 8 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

9 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i r i Geom x i d i + r i c i g x i H t sk i A - param, t, {c i } N i=1, sk 0 c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk Note that N N sk i = sk 0 c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg i=1 AggrDec N {c i } i=1 x agg = DLog(g x agg ) 9 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

10 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom x i d i + r i c i g x i H t sk i Cancels out c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 10 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

11 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i r i Geom NoisyEnc i Solve discrete logarithm to x i d i + r i retrieve result x agg c i g x Strong i H t sk limitation on plaintext i size, e.g. efficient instantiation in [1] is for 1-bit plaintext N {c i } i=1 A - param, t, {c i } N i=1, sk 0 c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg x agg = DLog(g x agg ) AggrDec 11 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

12 Lattice-based PSA (LaPS) Goals Overcome previous input limitation [1] of 1 bit for 1000 users Improve security guarantee Note: current schemes are breakable by quantum computers Imagine, each user can only send value 0 or 1. max. aggregation value 1000 Use LWE-based construction Contributions Resolve open problem from [1] Post-quantum security Encrypt values up to max. aggregation value 66 million 66 thousand times bigger values First implementation of PSA scheme: 150 times faster aggregation compared to [1] 12 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.

13 Learning With Errors (LWE) [2] A Z q λ κ s Z q κ b Z q λ A 11 A 12 A 13 A 1κ s 1 b 1 A 21 A 22 A 23 A 2κ s 2 b 2 A 31 A 32 A 33 A 3κ A 41 A 42 A 43 A 4κ s 3 = b 3 b 4 (mod q) s κ A λ1 A λ2 A λ3 A λκ b λ Given (A,b): find s 13 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.

Learning With Errors (LWE) [2] discrete Gaussian distribution coefficients secret error result λ κ κ A Z q s Z q e i Ψ λ b Z q A 11 A 12 A 13 A 1κ s 1 e 1 b 1 A 21 A 22 A 23 A 2κ s 2 e 2 b 2 A 31 A

14 Learning With Errors (LWE) [2] discrete Gaussian distribution coefficients secret error result λ κ κ A Z q s Z q e i Ψ λ b Z q A 11 A 12 A 13 A 1κ s 1 e 1 b 1 A 21 A 22 A 23 A 2κ s 2 e 2 b 2 A 31 A 32 A 33 A 3κ A 41 A 42 A 43 A 4κ s 3 s κ + e 3 e 4 = b 3 (mod q) b 4 A λ1 A λ2 A λ3 A λκ e λ b λ Given (A,b): find s as hard as worstcase lattice problems* post-quantum secure 14 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 *) relevant parameters: (q, κ, Ψ) [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.

15 LWE [2] coefficients secret error result λ κ κ A Z LWE: e Ψ λ q s Z λ q b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ 15 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.

16 Augmented LWE (A-LWE) [3] coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ 16 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.

17 Augmented LWE (A-LWE) Message Embedding [3] Straightforward encryption coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ encode message m using some function f D Λv G defined by v and G m is embedded in e Compute v = f(m) Draw e D Λv G A-LWE: e D Λv G A-LWE: b looks like LWE-term but contains message m b = Enc(m) 17 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.

18 Augmented LWE (A-LWE) Message Embedding [3] Decryption coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ Compute e = b + ( s T A) Dec A,s (b) special property of D Λv G Compute v = G e mod q decode message Compute m = f 1 (v) 18 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.

19 LaPS Overview d 1 U 1 NoisyEnc 1 s 1 c 1 = As 1 + e 1 Remember me? A-LWE! U 2 d 2 NoisyEnc 2 s 2 c 2 = As 2 + e 2 A AggrDec s 0 d 3 U 3 NoisyEnc 3 s 3 c 3 = As 3 + e 3 x i = x 1 + x 2 + x x N U N d N NoisyEnc N s N c N = As N + e N c i s cannot be decrypted by quantum adversary post-quantum security Output does not leak information about individual d i s nor x i s privacy 19 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

20 LaPS Let s take a closer look U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i v i = AHOM. Enc(pk, x i ) c agg + As 0 e i Sample e i D Λvi (G) c i As i + e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) N {c i } i=1 20 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

21 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i Unwrap first layer, since N i=1 s i = s 0 v i = AHOM. Enc(pk, x i ) c agg c c N c agg = A N i=1 s i + e i c agg + As 0 e i Sample e i D Λvi (G) c i As i + e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) N {c i } i=1 21 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

22 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i 22 inner ciphertexts v i are v i = AHOM. Enc(pk, additively x i ) homomorphic AHOM. Dec N i=1 v i Sample e i D Λvi (G) = N AHOM. Dec(v i ) c i As i + e i Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 i=1 N {c i } i=1 c agg + As 0 e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i )

23 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i v i = AHOM. Enc(pk, x i ) c agg + As 0 e i 23 Sample e i D Λvi (G) c i As i + eunwrap i second layer using sk Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 N {c i } i=1 G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i )

24 LaPS: Correctness AggrDec Double Unwrapping Correctness: As long as AHOM. Dec N i=1 v i = N i=1 x i and since G e i mod q = v i, where e i D Λvi G, the aggregator indeed outputs the noisy sum aggregate of the users' values. We require AHOM to be additively homomorphic - therefore the sum of the homomorphic ciphertexts N i=1 v i corresponds to an encryption of the sum of the underlying plaintexts i=1 N x i. A - param, A, G, {c i } N i=1, sk, s 0 c agg c c N c agg = A N i=1 s i + e i c agg + As 0 e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) AggrDec 24 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018

25 LaPS: Security Guarantees NoisyEnc i Let s take a closer look For security we want: Break NoisyEnc i break w-c lattice problem U i - param, A, G, pk, s i, d i x i d i + η i NoisyEnc i Encrypt x i using AHOM v i pseudo-random ciphertext v i = AHOM. Enc(pk, x i ) v i c uniform Sample e i D Λvi (G) D Λvi (G) c discrete Gaussian Ψ c i As i + e i A-LWE c (LWE w-c lattices) 25 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018

26 LaPS: Security Guarantees NoisyEnc i Let s take a closer look For security we want: Break NoisyEnc i break w-c lattice problem U i - param, A, G, pk, s i, d i x i d i + η i v i = AHOM. Enc(pk, x i ) Sample e i D Λvi (G) c i As i + e i NoisyEnc i Theorem 1 (Semantic Security): Let the output of AHOM. Enc be indistinguishable from random [ ]. Then, the ciphertexts generated by NoisyEnc in are semantically secure assuming the hardness of worst case lattice problems. Theorem 2 (Aggregator Obliviousness Security): Let the output of AHOM. Enc be indistinguishable from random [ ]. LaPS satisfies aggregator oblivious security assuming the hardness of worst case lattice problems. 26 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018

27 LaPS Instantiation Experimental Results Instantiation using M χ discrete Laplace mechanism and AHOM reduced* BGV encryption scheme BEFORE [1] AFTER (this work)** NoisyEnc i AggrDec p {0,1}: 0.6 ms p 5: p 37: p 65537: p {0,1}: 300 ms p 5: p 37: p 65537: 3.58 ms 3.62 ms 3.73 ms 1.87 ms 1.88 ms 1.96 ms *) Original BGV Scheme [4], adapted from [5] and reduced to homomorphic addition (, i.e. no multiplication) **) Runtime results [ms] for LaPS instance for 1000 users, 80-bit security MacBook, macos Sierra, single 2.5 GHz Intel Core i7 and 16GB memory; averaged over 1000 runs [4] Z. Brakerski and V. Vaikuntanathan, Efficient Fully Homomorphic Encryption from (Standard) LWE. ECCC Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 [5] I. Damgard, M. Keller, E. Larraia, V. Pastro, P. Scholl, and N. P. Smart. Practical Covertly Secure MPC for Dishonest Majority or: Breaking the SPDZ Limits. ESORICS 2013.

28 Summary Lattice-based Private Stream Aggregation Plug-and-play deployment of additively homomorphic encryption Strong security & privacy guarantees (Augmented) LWE-assumption provides postquantum security Formal Differential Privacy analysis Significant efficiency improvements compared to previous work 150 times faster decryption times larger plaintext space 28 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018

29 Summary Outlook Lattice-based Private Stream Aggregation Dynamic joins and leaves / user failures Strong security & privacy guarantees Enhance scheme to aggregator unforgeability / public verifiability of aggregate result E.g. by combining with Homomorphic Aggregate Signature scheme (HAS) [6] Significant efficiency improvements compared to previous work 29 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [6] Z. Jing. A homomorphic aggregate signature scheme based on lattice. MPE 2014.

30 THANK YOU QUESTIONS?

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain