An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Transcription

1 An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science and Technology JAIST COE Symposium / 23

2 Overview JAIST COE Symposium / 23

3 Privacy Preserving Computations Two Models of Adversarial Parties JAIST COE Symposium / 23

4 Privacy Preserving Computations Privacy Preserving Computations Two Models of Adversarial Parties Inputs: (x 1,x 2,...,x N ) held by distributed parties (P 1,P 2,...,P N ) respectively. Outputs: some function f(x 1,x 2,...,x N ), e.g., intersection, maximum, minimum, etc. Privacy Requirement: P i (i = 1,...,N) knows nothing about x i (i i), except the information I(x i,f). Difficulties: Some parties may have adversarial behaviors; There may be no party that can be trusted by all the other parties. JAIST COE Symposium / 23

5 Two Models of Adversarial Parties Privacy Preserving Computations Two Models of Adversarial Parties Assumption: only one adversary, who controls arbitrary number of parties. : the adversary follows the protocol properly, but may analyze its intermediate computations. : the adversary arbitrarily deviates from the protocol, i.e., refusing to participate in the protocol when the protocol is first invoked; arbitrarily substituting its original local input and entering the protocol with an input other than the one provided to them; aborting the protocol whenever obtaining the desired result. JAIST COE Symposium / 23

6 JAIST COE Symposium / 23

7 Government: A = {No flight Name List} Airline Company: B = {Customer N ame List} Preventing Terrorism: A B Government s Privacy: A Air Flight Company Company s Privacy: B Government JAIST COE Symposium / 23

8 Intersection (PPSI): For Semi-honest Model Inputs: N (N 2) parties. Each party P i (i = 1,...,N) has a set (or multiset) T i : T i = {T(i,j) j = 1,...,S}. Outputs: Each party P i learns TI = T 1... T N, without knowing the elements in T i (i i) except TI. Π is a secure PPSI protocol in the semi-honest model, if {S(I, (T i1,..., T ic ), f I (T))} c {V IEW Π I (T)} in which, S: a PPT algorithm; I = {i 1,..., i c }: the index set of adversarial parties; f: the intersection function; (T): the view of adversarial parties during Π; V IEW Π I JAIST COE Symposium / 23

9 (contd.) PPSI: For Inputs: N (N 2) parties. P i (i = 1,...,N) has a set (or multiset) T i. Outputs: Each party P i learns TI = T 1... T N, without knowing the elements in T i (i i) except TI. Π is a secure PPSI protocol in the malicious model, if {IDEAL f,i,b (T)} c {REAL Π,I,A (T)}. in which, A: PPT algorithm of the adversary in Π; B: PPT algorithm of the adversary in the ideal model, where there is an available trusted party; REAL Π,I,A (T): Output of A in Π; IDEAL f,i,b (T): Output of B in the ideal execution. JAIST COE Symposium / 23

10 1) L. Kissner and D. Song, Privacy-Preserving Set Operations, in Advances in Cryptology - CRYPTO f i = (x T(i, 1)) (x T(i, S)), F = N i=1 f i N k=1 r i,k. Security: semi-honest and malicious models. 2) M. Freedman, K. Nissim and B. Pinkas, Efficient Private Matching and Set Intersection, in Proc. of Eurocrypt 04. P N evaluates its elements T(N, j) on f i (i = 1,..., N 1). Security: semi-honest model Our aims: less costs while keeping the same security. JAIST COE Symposium / 23

11 Threshold version of additive homomorphic encryption: Paillier s scheme. Calculations on encrypted polynomials: For f(x) = m i=0 a ix i, E(f(x)) = {E(a i ) i = 0,...,m}; The evaluation E(f(x)) for x = v; The scalar product E(cf(x)), given c; The sum E(f(x) + g(x)), given E(f(x)) and E(g(x)); The polynomials multiplication E(f(x) g(x)), given f(x) and E(g(x)). JAIST COE Symposium / 23

12 1) Constructing the Polynomial Vector F 1.1) P i computes f i = (x T(i, 1)) (x T(i,S)) mod N to represent its set T i. 1.2) P i computes E(f i N j=1 r i,j), in which r i,j is generated by P j, r i,j = a i,j x + b i,j, a i,j,b i,j R Z N. 1.3) The N parties get: E(F) = ( E(f 1 N r 1,j ),...,E(f N j=1 N r N,j ) ) j=1 JAIST COE Symposium / 23

13 (contd.) 2) Multiplication with Nonsingular Matrices 2.1) P i generates a random and nonsingular matrix R i ; 2.2) P i computes E(FR 1 R i ); 2.3) The N parties get E(G) = E(FR 1 R N ) = E(FR) and decrypt it: g 1 = f 1... g N = f 1 N r 1,j R f N j=1 N r 1,j R 1N f N j=1 N r N,j R N1 j=1 N r N,j R NN j=1 in which R uv is the (u, v) entry of R (1 u, v N). 2.4) P i evaluates (g 1,..., g N ) at the element T(i, j). JAIST COE Symposium / 23

14 (contd.) Correctness Lemma: If for k = 1,...,N, g k (T(i,j)) = 0, then T(i,j) TI with an overwhelming probability (> ). Proof Sketch: R is nonsingular, If G(T(i, j)) = F(T(i, j)) R = (0, 0,..., 0), then F(T(i, j)) = (0, 0,..., 0). JAIST COE Symposium / 23

15 (contd.) Security: Semi-honest attacks: analyze the coefficients in G, and infer the roots of f i from P i (i I, I is the index set of honest parties). Lemma 1 In PPSI Protocol, any P i in the coalition of c (1 c N 1) semi-honest parties (P I ) can know no more elements than TI in any T i for i I. Theorem 1 Protocol 1 is a secure protocol Π, which privately solves the PPSI problem with respect to the semi-honest behaviors of arbitrary number of parties. JAIST COE Symposium / 23

16 Main Ideas We assume the adversary controls arbitrary number of parties. Protocol 2 for the malicious model is based on Protocol 1 for the semi-honest model. Blocks are added to prevent malicious behaviors: Attack 1): sending to others an arbitrarily encrypted polynomial without knowing its coefficients. Solution: P i should prove that: 1.1) knowing the plaintexts of E(f), PK{f : E(f)}. 1.2) correct polynomials multiplication, PK{r : M = E(f r) E(f) E(r)} JAIST COE Symposium / 23

17 (contd.) Attack 2): encrypting a polynomial whose coefficients are all zeros. Solution: The honest parties can reset the leading coefficient of polynomials received from others to be E(1). Attack 3): generating a singular matrix R i, then the protocol won t be correct. Solution: P i should prove that R i it generates is nonsingular: PK{R i : D = E(det(R i )) D = E(0) R = E(R i )}. det(r i ) is the determinant of R i. JAIST COE Symposium / 23

18 (contd.) Attack 4): doing multiplication with a matrix R i other than the committed matrix R i. Solution: Each party should prove that he does correct matrix multiplication with the matrix R i it has committed: PK{R : G = E(FR) F = E(F) R = E(R)}. F = (f 1,..., f N ), R is an N N matrix, and E(R) are the encrypted entries of R. JAIST COE Symposium / 23

19 Table 1: Comparisons of solutions for PPSI in the semi-honest model Ours Kissner s Freedman s A quantitative analysis: Computation Cost Communication Cost Security Model 2(c(S + 2)(N 1) 2)lgN +c(s + 2)(N + 3) 2cN(4S + 5)lgN Semi-honest 2(c(S + 1) 2 + 5S + 3)lgN +c(s 2 + 4S + 2) 2cN(5S + 2)lgN Semi-honest ((S + 1)(S + 2) + 3S(N 1) 1)2lgN +S(S + 1) 10S(N 1) 2 lgn Semi-honest S = 20, N = 5, c = 3, lgn = Our protocol saves about 81% and 63% computation costs, 17% and 20% communication costs in comparison with Kissner s and Freedman s solutions. JAIST COE Symposium / 23

20 (contd.) Table 2: Comparisons of solutions for PPSI in the malicious model Computation Cost Communication Cost Security Model Ours O(cSN lgn) O(cSN lgn) Malicious Kissner s O(cS 2 lgn) O(cSNlgN) Malicious In practical applications: S (the size of a set ) N (the number of parties ); Our Protocol can be faster than Kissner s solution. JAIST COE Symposium / 23

21 Future Work JAIST COE Symposium / 23

22 We propose: PPSI protocols in the semi-honest and malicious models which cost less computation time and bandwidth in practical applications than previous results. : Doing comparisons between data disguising techniques and cryptographic techniques. Proposing secure and efficient solutions for some basic computation problems. Proposing secure solutions for some large-scale data mining tasks. JAIST COE Symposium / 23

23 The End Thank You Very Much! JAIST COE Symposium / 23