Benny Pinkas Bar Ilan University

Similar documents
Keyword Search and Oblivious Pseudo-Random Functions

Distributed Oblivious RAM for Secure Two-Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Efficient Set Intersection with Simulation-Based Security

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Multiparty Computation

1 Secure two-party computation

Lecture 38: Secure Multi-party Computation MPC

Introduction to Modern Cryptography Lecture 11

Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors

Introduction to Cryptography Lecture 13

Efficient Private Matching and Set Intersection

Secure Computation. Unconditionally Secure Multi- Party Computation

Question: Total Points: Score:

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

1 Number Theory Basics

Secure Multi-Party Computation

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Question 1. The Chinese University of Hong Kong, Spring 2018

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Evaluating 2-DNF Formulas on Ciphertexts

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

Computing on Encrypted Data

Oblivious Evaluation of Multivariate Polynomials. and Applications

Introduction to Cryptography. Lecture 8

Single Database Private Information Retrieval with Logarithmic Communication

Yuval Ishai Technion

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

4-3 A Survey on Oblivious Transfer Protocols

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Are you the one to share? Secret Transfer with Access Structure

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Privacy Preserving Multiset Union with ElGamal Encryption

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Thesis Proposal: Privacy Preserving Distributed Information Sharing

Communication Complexity and Secure Function Evaluation

Introduction to Modern Cryptography. Benny Chor

Additive Conditional Disclosure of Secrets

Lecture 1: Introduction to Public key cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Winter 2011 Josh Benaloh Brian LaMacchia

Extending Oblivious Transfers Efficiently

CPSC 467b: Cryptography and Computer Security

An Efficient Protocol for Fair Secure Two-Party Computation

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Perfect Secure Computation in Two Rounds

Efficient and Secure Delegation of Linear Algebra

Discrete Logarithm Problem

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Practical and Secure Integer Comparison and Interval Check

Secret sharing schemes

Public Key Cryptography

i-hop Homomorphic Encryption Schemes

ASYMMETRIC ENCRYPTION

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Advanced Topics in Cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Cryptosystems CHAPTER 4

1 Basic Number Theory

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

ECS 189A Final Cryptography Spring 2011

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Efficient Fuzzy Matching and Intersection on Private Datasets

From Secure MPC to Efficient Zero-Knowledge

Lecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Secure Vickrey Auctions without Threshold Trust

Lecture Notes 15 : Voting, Homomorphic Encryption

Secure Linear Algebra Using Linearly Recurrent Sequences

5PM: Secure Pattern Matching

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Short Exponent Diffie-Hellman Problems

k-nearest Neighbor Classification over Semantically Secure Encry

Topics in Cryptography. Lecture 5: Basic Number Theory

Privacy-preserving cooperative statistical analysis

An Unconditionally Secure Protocol for Multi-Party Set Intersection

Introduction to Cybersecurity Cryptography (Part 4)

Theory of Computation Chapter 12: Cryptography

Privacy-Preserving Data Imputation

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Authentication. Chapter Message Authentication

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic Curve Cryptography

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Notes for Lecture 17

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Multiparty Computation (MPC) Arpita Patra

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Cryptography and Security Final Exam

Encryption Switching Protocols Revisited: Switching modulo p

Lecture Notes 20: Zero-Knowledge Proofs

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

The Theory and Applications of Homomorphic Cryptography

Transcription:

Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1

Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption correlation robust functions Modern hash families should have this property Bar-Ilan University Security against malicious adversaries is based on the cut and choose approach Increases the overhead by a factor of s to reduce cheating probability to 2 -s. 2

Example: the millionaires problem - comparing two N bit numbers Bar-Ilan University What s the overhead? Circuit size is linear in N N oblivious transfers 3

Two parties. Two large data sets. Example applications Computing the Max? Mean? Median? Intersection? Bar-Ilan University 4

If the circuit is not too large then generic secure two-party computation is efficient Bar-Ilan University AES (key and plaintext are known to Alice and Bob, respectively) [PSSW09] About 33,000 gates 7/60/1114 sec for semi-honest/covert/malicious If the circuit is large: we currently need adhoc solutions. 5

G. Aggarwal, N. Mishra and B. Pinkas, Secure Computation of the K'th-ranked Element, Eurocrypt'04. 6

Inputs: Alice: S A Bob: S B Output: Bar-Ilan University Large sets of unique items ( D). x S A S B s.t. x has k-1 elements smaller than it. The median k = ( S A + S B ) / 2 Motivation: Basic statistical analysis of distributed data. E.g., histogram of salaries. 7

The k th -ranked element reveals some information. Suppose S A = x 1,,x 1000 (sorted) Median of S A S B = x 400 Party A now learns that S B contains at least 200 elements smaller than x 400 But she shouldn t learn more 8

The Problem: The size of a circuit for computing the k th ranked element is at least linear in k. For the median, k is in the same order as the size of the inputs. Generic constructions using circuits [Yao, ] have communication complexity which is linear in the circuit size, and therefore in k. 9

S A L A m A R A m A < m B S B L B m B R B L A lies below the median, R B lies above the median. L A = R B New median is same as original median! Recursion Need log n rounds (assume each set contains n=2 i items)

A finds its median m A B finds its median m B YES m A < m B NO A deletes elements m A. B deletes elements > m B. Secure comparison (e.g. a small circuit) A deletes elements > m A. B deletes elements m B.

A B Bar-Ilan University 1 16 1 16 1 m A m B 8 9 16 m A <m B m A <m B Median found!! m A >m B pa ge 12 m A <m B

median A B Bar-Ilan University m A >m B m A <m B m A <m B m A >m B pa ge 13 m A <m B

This is a proof of security for the case of semi-honest adversaries. Bar-Ilan University Security for malicious adversaries is more complex. The protocol must be changed to ensure that the parties answers are consistent with some input. Also, the comparison of the medians must be done by a protocol secure against malicious adversaries. 14

S A k - S B 2 i + + Now, compute the median of two sets of size k. Size should be a power of 2. median of new inputs = k th element of original inputs 15

Can search for k th element without revealing size of input sets. However, k=n/2 (median) reveals input size. Solution: Let S=2 i be a bound on input size. S A S B + - S + - Median of new datasets is same as median of original datasets 16

The parties can choose arbitrary inputs to the comparisons. For example, In Step 1 claim that m A =100, and be told that m A <m B (therefore A must remove all items ma). In step 2 claim that m A =10 We change the protocol so that even if input values are chosen adaptively during the protocol, they correspond to a valid input that can be sent to the TTP. 17

The modified protocol: Initialize bounds L A =L B =-, U A =U B =. Each comparison protocol must be secure against malicious parties and verify that L A < m A < U A L B < m B < U B If the verification succeeds, then If m A m B then set U A =m A and L B = m B Otherwise set L A =m A and U B = m B Bar-Ilan University The bounds ensure that m A and m B are consistent with previous inputs A B m A m B 18

The bounds L A,L B,U A,U B must not be revealed to any party, but rather be internal values of the secure computation. The secure computation is run in phases, where each phase must pass updated values of L A,L B,U A,U B to the next phase. Can be implemented using reactive computation Or, in a simpler way 19

The circuit is composed of layers. Bar-Ilan University Each layer provides an external output, and has internal wires going into the next layer. 20

In each layer provide A with Shares of L A,U A,L B,U B MACs of B s shares of these values provide B with Shares of L A,U A,L B,U B MACs of A s shares of these values In the next level A and B inputs these values. The circuit checks the MACs, and reconstructs L A,U A,L B,U B from shares. Bar-Ilan University 21

Must show that for every adversary A in real model there is a simulator A in the ideal model, etc The operation of A in the real model can be visualized as following a path in a binary tree. Nodes are inputs to comparisons. 22

If A does not provide a legitimate input to a comparison (namely m A (L A,U A ) ) then the simulator aborts. Assume that the random input of A is known to the simulator, and therefore A is deterministic. Bar-Ilan University 23

The simulator runs the protocol with A, rewinding over all execution paths in the tree. Learns the inputs of A to all comparisons. The inputs to the leaves correspond to the sorted input of A. The simulator sends this input to TTP. Based on the result, it simulates the real execution path with A. 24

Input: Party P i has set S i, i=1..n. (all values [a,b], where a and b are known) Output: k th element of S 1 S n Protocol (binary search): Set m = (b-a)/2. Repeat: P i uses the following input for a secure computation: L i = # elements in S i smaller than m. B i = # times m appears in S i. - The following is computed securely: If ΣL i k, set b=m, m=(m-a)/2, else If Σ(L i + B i ) k, stop. k th element is m. Otherwise, set a=m, m = m+(b-m)/2. 25

Efficient secure computation of the median. Two-party: log k rounds * O(log D) Multi-party: log D rounds * O(log D) Very close to the communication complexity lower bound of log D bits. Malicious case is efficient too. Do not use generic tools. Instead, implement simple consistency checks. 26

M. Freedman, K. Nissim and B. Pinkas, Efficient Private Matching and Set Intersection, Eurocrypt'04. 27

Client Server Input: X = x 1 x n Y = y 1 y n Output: X Y only nothing Shared interests (research, music) Credit rating Sharing intelligence between agencies (IARPA) Dating Genetic compatibility, etc 28

Trivial circuit compares each (x i,y j ) pair O(n 2 ) circuit size Bar-Ilan University A more advanced circuit: Sort the union of the two sets, using a sorting network. If x i =y j these two values will become adjacent. Scan and search for identical adjacent values O(nlogn) circuit size (with huge constant [AKS]) 29

Public key encryption, such that Given E(x) it is possible to compute, without knowledge of the secret key, the value of E(c x), for every c. Given E(x) and E(y), it is possible to compute E(x+y). We will use the notation E(x) E(y) = E(x+y) E(x) c =E(c x) Applications Voting Many cryptographic protocols, such as keyword search, oblivious transfer 30

Standard public key encryption schemes support Homomorphic operations with relation to multiplication RSA Public key: N, e. Private key: d. E(m) = m e mod N E(m 1 ) E(m 2 ) = E(m 1 m 2 ) El Gamal Public key : p (or a similar group), y=g x. Private key: x. E(m) = (g r, y r m) E(m 1 ) E(m 2 ) = E(m 1 m 2 ) 31

Modified El Gamal E(m) = (g r, y r g m ) E(m 1 ) E(m 2 ) = (g r, y r g m 1 + m 2) = E(m 1 + m 2 ) Decryption reveals g m 1 + m 2 Computing m 1 +m 2 is possible if m 1 +m 2 is small Paillier s cryptosystem Based on composite residuocity classes Works in the group Z* n 2, where n=pq. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, Pascal Paillier, Eurocrypt 99. 32

Client (C) defines a polynomial of degree n whose roots are her inputs x 1,,x n Bar-Ilan University P(y) = (x 1 -y)(x 2 -y) (x k -y) = a 0 + a 1 y + + a k y k C sends to server (S) homomorphic encryptions of polynomial s coefficients Enc(a 0 ),, Enc(a k ) 33

Note that Enc(P(y)) =Enc(a 0 +a 1 y 1 + +a k y k ) = Enc(a 0 ) Enc (a 1 ) y Enc (a 2 ) y2 Enc (a k ) yk Therefore y, server can compute Enc(P(y)) Bar-Ilan University The operation of the server y j, choose random r j and compute Enc(r j P(y j )+y j ) This equals Enc(y j ) if y j X, and is random otherwise. S sends (permuted) results back to C C decrypts and learns X Y 34

The server computes Enc(r j P(y j )+1) This equals Enc(1) if y j X, and is random otherwise. The client decrypts, counts the number of 1 s and learns X Y. A different variant enables to compute whether intersection > threshold. 35

Client s privacy Server only sees semantically-secure enc s We can simulate server s view by sending it enc s of arbitrary values. Server s privacy Client can simulate her view in the protocol, given the output X Y alone: Compute the enc s of items in X Y and of random items, and receive them in random order. 36

Communication is O(n) C sends n coefficients S sends n evaluations of polynomial Bar-Ilan University Computation Client encrypts and decrypts n values Server: y Y, computes Enc(r P(y)+y), using n exponentiations Total of O(n 2 ) exponentiations 37

Inputs typically from a small domain of D values. Represented by logd bits (say, 20) Use Horner s rule to compute polynomial: P(y)= a 0 + y (a 1 + y (a n-1 +ya n )...) instead of P(y)= a 0 + a 1 y +a n-1 y n-1 +a n y n Now, exponents are only log D bits Overhead of exponentiation is linear in exponent Improvement by factor of modulus /log D, e.g., 1024/20 50 38

x 1 x 2 x 3 x 4 x 5 x 6 x 7 x k-1 x k H( ) B P 1 P 2 P 3 P B M C uses H( ) to hash inputs to B bins (H indep. of inputs) Let M bound max # of items in a bin. Client defines B polynomials of deg M. Each poly encodes x s mapped to its bin.

P 1 P 2 P 3 P B H y Y, i H(y), r rand Enc( r P i (y) + y ) C sends B polynomials and H to server. For every y, S computes H(y) and evaluates the corresponding poly (of degree M)

Communication: B M Server: n M short exp s, n full exp s ( P(y) ) ( r P i (y) + y ) How large should M be? Simple hashing: If the number of bins is B=n, then M=O(logn) Therefore Communication O(nlogn) Server computation O(nlogn) Can do better Bar-Ilan University 41

Balanced allocations [ABKU]: H=(h 1,h 2 ): Choose two bins, map item y to the less occupied bin among h 1 (y),h 2 (y). It was shown that for B = n/ln ln n the maximum bin size is M=O (ln ln n) Communication is BM=O(n) Server: n ln ln n short exp, n full exp. (in practice ln ln n 5) Client must check results in two bins Bar-Ilan University 42

Cuckoo hashing [Pagh-Rodler] Bar-Ilan University Map n items to B 2n bins of size M=1, or to a small stash (of size, say, 3). Each item y is found in either h 1 (y) or h 2 (y), or in the stash. Details of the construction are omitted Communication, and server work are only O(n) 43

Asymptotic run time of server with random hashing/balanced allocations/cuckoo hashing is nlogn/nloglogn/n, respectively. For n=10,000, actual run times were 48/69/65 seconds, respectively.???????? Bar-Ilan University 44

Server computes E(r P(y)+y) Bar-Ilan University The overhead of multiplying by r is independent of the degree. It is also a full exponentiation. Experiments showed the overhead of evaluating E(r P(y)+y) to be linear in d+6.5 In the different methods S evaluates 1/2/3 polynomials, of degree logn/loglogn/o(1). Simple hashing is better since it evaluates a single polynomial. The other schemes are better only for larger values of n. 45

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback