Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Size: px

Start display at page:

Download "Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5"

Helena Berry
5 years ago
Views:

Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense,

1 Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT Atlantique, IRISA, UBL, Brest, France 4 Univ Jean Monnet, Lab. Hubert Curien, Saint-Étienne, France 5 Univ Lyon, CNRS, ENS de Lyon, INRIA, LIP Lyon, France Rencontres Entreprises DOCtorants Sécurité 2018

2 Scenario C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

3 Scenario C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

4 Scenario Time Amount Location... FRAUD? C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

5 Scenario Time Amount Location... FRAUD? Goal: Detect FRAUD in < 200ms C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

6 Scheme Client Private input: x 1,..., x n Server Private inputs: Indv. thresholds: t 1,..., t n Weights: α 1,..., α n Total threshold: T C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

7 Scheme Client Private input: x 1,..., x n Server Private inputs: Indv. thresholds: t 1,..., t n Weights: α 1,..., α n Total threshold: T Interactive Protocol C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

8 Scheme Client Private input: x 1,..., x n Server Private inputs: Indv. thresholds: t 1,..., t n Weights: α 1,..., α n Total threshold: T Interactive Protocol Output: [ n i=1 α i[x i > t i ] > T ] [x > t] = 1 if x > t and 0 otherwise C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

9 Scheme Client Private input: x 1,..., x n Server Private inputs: Indv. thresholds: t 1,..., t n Weights: α 1,..., α n Total threshold: T Interactive Protocol Output: [ n i=1 α i[x i > t i ] > T ] [x > t] = 1 if x > t and 0 otherwise Server only learns if a fraud occurred Client learns nothing C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

10 Security Model Sec. w.r.t. Server Server does not learn: individual comparisons individual x i s sum of weighed comparisons Sec. w.r.t. Client Client does not learn: weights α i individual thresholds t i total threshold T C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

11 Assumption on Client Client is honest but curious: Follows the protocol honestly Tries to learn more than his inputs Secure against honest but curious: Learns nothing beyond his inputs C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

12 Outline 1 Unsuccessful Ideas 2 Retained Solutions Koda Tricks Kenaï Results 3 Limitations 4 Conclusion C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

13 Unsuccessful Ideas

14 Garbled Circuits Idea: large garbled circuit containing sub circuits for individual comparisons. C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

15 Garbled Circuits Idea: large garbled circuit containing sub circuits for individual comparisons. + Secure equality test or comparison + Communication-efficient Too slow! C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

16 Fully Homomorphic Encryption Properties Absorption : E(x) α = E(x α) Addition : E(x) + E(y) = E(x + y) Multiplication : E(x) E(y) = E(x y) Security Indistinguishable ciphertexts C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

17 PIR : Private Information Retrieval PIR(x, D) The client sends Q = (E(q 0 ),..., E(q l )) q x = 1, q k x = 0 The server computes the PIR with D = (d 0,..., d l ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

18 PIR : Private Information Retrieval d 1 E(0) = E(0) d 2 E(0) = E(0) d 3 E(1) = E(d 3 ) d 4 E(0) = E(0) d 5 E(0) = E(0) d 6 E(0) = E(0) E( d ) + + C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

19 Three-party Solution x i E pk (x i ) t i, α i T BP sk, pk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

20 Three-party Solution x i E pk (x i ) n PIR(x i, b i ) t i, α i T b i = ( ) { b j 0 if j < i = ti 1 j 2 x i α i otherwise BP sk, pk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

21 Three-party Solution x i E pk (x i ) n PIR(x i, b i ) C := E pk ( n i=1 t i, α i T ) α i [x i > t i ] T b i = ( ) { b j 0 if j < i = ti 1 j 2 x i α i otherwise BP sk, pk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

22 Three-party Solution x i E pk (x i ) n PIR(x i, b i ) C := E pk ( n i=1 t i, α i T ) α i [x i > t i ] T b i = ( ) { b j 0 if j < i = ti 1 j 2 x i α i otherwise BP D sk (C) sk, pk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

23 Three-party Solution x i E pk (x i ) n PIR(x i, b i ) C := E pk ( n i=1 t i, α i T ) α i [x i > t i ] T b i = ( ) { b j 0 if j < i = ti 1 j 2 x i α i otherwise BP D sk (C) sk, pk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

24 Retained Solutions

25 Security with Respect to the Server Adv. Server ( t, α, T ) ( t, α, T ) DetectFraud Challenger (t 1,..., t n ); (α 1,..., α n ); T x = (x 1,..., x n ) $ D C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

26 Security with Respect to the Server Adv. Server ( t, α, T ) ( t, α, T ) DetectFraud Challenger (t 1,..., t n ); (α 1,..., α n ); T x = (x 1,..., x n ) $ D x = (x 1,..., x n) x x = x? 1 i n, [x i > t i ] = [x i > t i ]? n i=1 α i[x i > t i ] = n i=1 α i[x i > t i ]? C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

27 Security with Respect to the Client Adv. Client ( t 0, α 0, T 0 ), ( t 1, α 1, T 1 ) Challenger C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

28 Security with Respect to the Client Adv. Client ( t 0, α 0, T 0 ), ( t 1, α 1, T 1 ) Challenger b $ {0, 1} C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

29 Security with Respect to the Client Adv. Client ( t 0, α 0, T 0 ), ( t 1, α 1, T 1 ) DetectFraud x = (x 1,..., x n ) Challenger b $ {0, 1} ( t b, α b, T b ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

30 Security with Respect to the Client Adv. Client ( t 0, α 0, T 0 ), ( t 1, α 1, T 1 ) DetectFraud x = (x 1,..., x n ) Challenger b $ {0, 1} ( t b, α b, T b ) b b = b? C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

31 Somewhat Homomorphic Encryption Ring Learning With Error Noise hides secret Noise growth : Addition =, Absorption +, Multiplication ++ Example Secret : p, large random : q, small random r Encrypt binary m : c = q p + 2 r + m Decrypt : m = (c mod p) mod 2 C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

32 Example If r > p decryption fails Addition : c 1 + c 2 = p (q 1 + q 2 ) + 2 (r 1 + r 2 ) + m 1 + m 2 Multiplication : c 1 c 2 = p (c 2 q 1 + c 1 q 2 q 1 q 2 ) + 2 (2r 1 r 2 + m 1 r 2 + m 2 r 1 ) + m 1 m 2. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

33 Parameters Parameters Plaintext Modulus : p Ciphertext Modulus : q Ring : Z p [X ]/(X n + 1) Link Security : + when n+, when q+ Batching : m 2 X 2 + m 1 X 1 + m 0 p prime, p = 1 mod (2n) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

34 Koda Client x 1,..., x n Server pk, sk t 1,..., t n,α 1,..., α n,t C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

35 Koda Client x 1,..., x n Server pk, sk t 1,..., t n,α 1,..., α n,t E pk (0) E pk (0) E pk (α i ) t i, i {1,, n} E pk (α i ) C T := E pk (T ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

36 Koda Client x 1,..., x n Server pk, sk t 1,..., t n,α 1,..., α n,t E pk (0) E pk (0) E pk (α i ) t i, i {1,, n} E pk (α i ) C T := E pk (T ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

37 Koda r > 0, Client x 1,..., x n For all i, select the x i th C i := E pk (α i [x i > t i ]) C = ( n i=1 C i C T ) r Server pk, sk t 1,..., t n,α 1,..., α n,t E pk (0) E pk (0) E pk (α i ) t i, i {1,, n} E pk (α i ) C T := E pk (T ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

38 Koda r > 0, Client x 1,..., x n For all i, select the x i th C i := E pk (α i [x i > t i ]) C = ( n i=1 C i C T ) r Server pk, sk t 1,..., t n,α 1,..., α n,t E pk (0) E pk (0) E pk (α i ) t i, i {1,, n} E pk (α i ) C T := E pk (T ) D sk ( C ) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

39 Koda r > 0, Client x 1,..., x n For all i, select the x i th C i := E pk (α i [x i > t i ]) C = ( n i=1 C i C T ) r Server pk, sk t 1,..., t n,α 1,..., α n,t E pk (0) E pk (0) E pk (α i ) t i, i {1,, n} E pk (α i ) C T := E pk (T ) D sk ( C ) C = E pk ([ n i=1 α i[x i > t i ] > T ] r) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

40 Tricks with this solution Easy to make ANDs of Comparison For one x i, multiple α i. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

41 Kenaï Client x i Server t i, α i, T pk, sk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

42 Kenaï Client x i E pk (t i ) Server t i, α i, T pk, sk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

43 Kenaï Client x i E pk (t i ) b i $ { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) Server t i, α i, T pk, sk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

44 Kenaï Client x i E pk (t i ) b i $ { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) ci Server t i, α i, T pk, sk C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

45 Kenaï Client Server pk, sk E pk (t i ) x i t i, α i, T $ b i { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) ci di = D sk (c i ) ɛ i = α i, if d i > 0 ɛ i = α i, if d i < 0 C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

46 Kenaï Client x i E pk (t i ) Server t i, α i, T b i $ { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) ci di = D sk (c i ) E pk (ɛ i ), E pk (α i ) pk, sk ɛ i = α i, if d i > 0 ɛ i = α i, if d i < 0 C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

47 Kenaï Client x i E pk (t i ) Server t i, α i, T b i $ { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) ci di = D sk (c i ) b i E pk (ɛ i ) = ±E pk (α i ) E pk (ɛ i ), E pk (α i ) a i = b i E pk (ɛ i ) + E pk (α i ) {E pk (0), E pk (2α i )} U = n a i = E pk (2S) pk, sk ɛ i = α i, if d i > 0 ɛ i = α i, if d i < 0 S = n α i [x i > t i ] i=1 i=1 C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

48 Kenaï Client x i E pk (t i ) Server t i, α i, T b i $ { 1, 1} R i, r i random R i > r i > 0 c i = R i b i (E pk (t i ) E pk (x i )) E pk (r i ) c i = E pk (R i b i (t i x i ) r i ) ci di = D sk (c i ) b i E pk (ɛ i ) = ±E pk (α i ) E pk (ɛ i ), E pk (α i ) a i = b i E pk (ɛ i ) + E pk (α i ) {E pk (0), E pk (2α i )} U = n a i = E pk (2S) pk, sk ɛ i = α i, if d i > 0 ɛ i = α i, if d i < 0 S = n α i [x i > t i ] i=1 i=1 C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

49 Implementation Software requirements SEAL 3.0 C++ Encryption parameters Encryption scheme: FV-RNS variant (BFV) Security: 128 bits Benchmark platform Intel R Core TM i7-6500u 2.50GHz C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

50 Koda & Kenaï: Time (ms) 1,500 1, ,000 1,500 2,000 n Koda 8 & 16 bits: n 1050 Koda 24 & 32: n 250 Kenaï 24 bits: n 65 Koda 8 bits Koda 16 bits Koda 24 bits Koda 32 bits Kenaï 24 bits Maximum computation time C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

51 Simulated network cost Data on the network (kb) Koda 8 bits Koda 16 bits Koda 24 bits Koda 32 bits Kenaï 24 bits ,000 1,500 2,000 n C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

52 Recap Koda Kenaï word size (bits) n max n max (MB) C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

53 Limitations

54 Evaluating our Solution Pros: Client: little memory Server: fast Cons: Malicious Client can cheat Information leak on Client inputs (one time security) Client side computations expensive for payment terminal C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

55 Conclusion

56 Conclusion Results Koda and Kenaï allow a lot of comparisons Perspective Improve the network costs Resist against a malicious client C. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

57 Thank You Questions?. Hébant, C. Lefebvre, É. Louboutin, E. Noumon Allini, I. Tucker Private Comparison REDOCS / 30

Are you the one to share? Secret Transfer with Access Structure

Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection