SHADE: Secure HAmming DistancE computation from oblivious transfer

paraderollAI and Robotics

Nov 17, 2013 (3 years and 7 months ago)

163 views

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

SHADE: Secure
HAmming

DistancE

computation from oblivious transfer

Julien

Bringer,
Hervé

Chabanne
,
Alain
Patey


Workshop on
Applied

Homomorphic

Cryptography

(WAHC’13)
-

Apr. 1
st
, 2013


Work

partially

funded

by the ANR
SecuLar

project

and by the
European

FP7 FIDELITY
project

1

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

OUTLINE



Motivations


Secure
Biometric

Recognition



Secure Computation of
Hamming

distances:
previous

proposals


Homomorphic

Encryption


Garbled

Circuits



SHADE


The basic
scheme


The
fully
-
secure

scheme

Alain Patey / 01/04/2013 / WAHC'13

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

2

/

Motivations

Alain Patey / 01/04/2013 / WAHC'13

3

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

BIOMETRIC

MATCHING


Biometrics
: Images are
encoded

into

feature

vectors







Biometric

matching
: computation of a
similarity

measure

between

two

vectors


Hamming

Distance


Euclidean

Distance


Scalar

Product




Alain Patey / 01/04/2013 / WAHC'13

4

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

EXAMPLE
: IRIS


Iriscodes
: 256
-
byte code + 256
-
byte
mask


Mask

indicates

(in)exploitable data:
eyelids
,
eyelashes
,
blurred

pixels…








Similarity

measure

between

(X
1
,M
1
) and (X
2
,M
2
):
normalized

Hamming

distance


HD(X
1
,X
2
) = |(X
1


X
2
) ∩M
1
∩ M
2
| / |M
1

∩ M
2
|





John
Daugman
: How iris recognition
works
. IEEE
Trans
. Circuits
Syst
.
Video

Techn
. (TCSV) 14(1):21
-
30 (2004)






Alain Patey / 01/04/2013 / WAHC'13

5

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

EXAMPLE
:
FINGERPRINT


Binary

feature

vector

fingerprint

representation
: ~50,000 bit
-
vectors








Bits
indicate

presence
/absence of
given

patterns


Similarity

measure
:
usual

Hamming

distance


Bringer
, J. and
Despiegel
, V.,
Binary

feature

vector

Fingerprint

representation

from

minutiae

vicinities
,
BTAS'10. (2010).


Alain Patey / 01/04/2013 / WAHC'13

6

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

EXAMPLE
:
FACE


Face:
SciFI

project


Approach

similar

to the
approach

of

previous

slide


900
-
bit
vectors


(constant 180
-
bit
weight
)


Similarity

measure

=
usual

Hamming

distance





Margarita
Osadchy
, Benny
Pinkas
,
Ayman

Jarrous
,
Boaz

Moskovich
:
SCiFI

-

A System for Secure Face
Identification. IEEE Symposium on Security and
Privacy

2010:239
-
254

Alain Patey / 01/04/2013 / WAHC'13

7

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

MOTIVATIONS FOR
SECURE

BIOMETRIC

MATCHING


Biometric

data are


extremely

sensitive


hard to
revoke


But
very

useful

for
personal

recognition


Need

for protection and
usability

at

the
same

time



Secure computation



Applications


1 vs N identification


Intersection of
biometric

databases


Deduplication


Anonymous

access

control




Alain Patey / 01/04/2013 / WAHC'13

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

8

/

Secure
Hamming

Distance
Computation:
Previous

proposals

Alain Patey / 01/04/2013 / WAHC'13

9

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

SETTING









Output
learned

either

by C, S or
both


Privacy
: One party
does

not
learn

information about the
other

party’s

input
(
except

the
result
)

Alain Patey / 01/04/2013 / WAHC'13

Serve
r

Client

100110011101

11001001010
1

Binary

string
X=(x
1
,…,
x
n
)

Binary

string
Y=(y
1
,…
,
y
n
)

Secure Computation

Output:
dH
(X,Y) =
Σ
(
xi

yi
)

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

10

/

Homomorphic

Encryption

Alain Patey / 01/04/2013 / WAHC'13

11

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

XOR
-
LY
/
ADDITIVELY

HOMOMORPHIC

ENCRYPTION


E =
homomorphic

cryptosystem


Goal:
compute

E(X

Y)
(or E(
dH
(X,Y)))
from

E(X) and Y
(or E(X) and E(Y))


where

X and Y are strings


No efficient
homomorphic

cryptosystem

to do
this

straightforward


Goldwasser
-
Micali
: XOR over bits


Paillier
: addition over
integers



Use of
additively

homomorphic

encryption

(
Paillier

and extensions)


E(X).E(Y)=E(X+Y)


E(X)
Y

= E(X.Y)

Alain Patey / 01/04/2013 / WAHC'13

12

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

SECURE
HAMMING

DISTANCE
USING

HOMOMORPHIC

ENCRYPTION



Alain Patey / 01/04/2013 / WAHC'13

Client

Serve
r

Input: X=(x
1
,…,
x
n
),
sk
, pk

Input: Y=(y
1
,…,
y
n
), pk

E(x1),…,E(
xn
)

For i=1..n, E(
xi

yi
)=E(xi)
1
-
2yi
.E(yi)

E(
dH
(X,Y))

Decryption

using

sk

Output:
dH
(X,Y)

Data
encryptio
n

Result

decryptio
n

Computation
over
encrypted

data

E(
dH
(X,Y))=E(
Σ
(
xi

yi
))



=
Π

E(
xi

yi
)

Recall
:
x,y

{0,1}

x

y

= x + y


2x.y

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

13

/

Yao’s

Protocol

Alain Patey / 01/04/2013 / WAHC'13

14

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

1
-
OUT
-
OF
-
2
OBLIVIOUS

TRANSFER



Alain Patey / 01/04/2013 / WAHC'13

Sender

Receiv
er

Inputs:

-

strings X
0

and X
1

Input

-

bit b

Output:

-

X
b

Output:




Sender
does

not
learn

b


Receiver

learns

nothing

about X
1
-
b

15

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

GARBLED CIRCUITS


Garbled circuits: “Encrypted” binary circuits


Random keys are associated with wires (one pair per wire)


Gates are encrypted using these keys


S creates the garbled circuit:


picks random keys and encrypts tables


C evaluates the garbled circuit


Decrypts the garbled tables using one key per input wire


Keys corresponding to S’s inputs are directly sent to C


Keys corresponding to C’s inputs are sent using OT
1
2
’s


Alain Patey / 01/04/2013 / WAHC'13

16

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

YAO’S

PROTOCOL

Alain Patey / 01/04/2013 / WAHC'13

Party
1

Party
2

Creates

the
Garbled

Circuit

Garbled

Circuit, labels of P1’s inputs

Labels of P2’s inputs
using

1
-
out
-
of
-
2
OT’s

Evaluates

the
Garbled

Circuit

Obtains

f(X,Y)

(
Optional
) f(X,Y)

17

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

IMPLEMENTATION

OF
YAO’S

PROTOCOL


Garbling

can

be

implemented

using

symmetric

cryptography


Optimizations
:


free XOR
gates


25%
gate

reduction



OT
1
2
’s
can

also

be

implemented

using

symmetric

cryptography


After

some

preprocessing

involving

public
-
key

cryptography



Implementations

are
available


Fairplay, TASTY, Secure Computation Framework…

Alain Patey / 01/04/2013 / WAHC'13

18

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

SUMMARY


Additively

homomorphic

encryption


Bits are
encrypted

separately

(
ciphertexts

are
at

least 2048
-
bit long)


Homomorphic

operations

are
costly


Ciphertexts

can

be

re
-
used

(for
another

instance of the
protocol

or
another

functionality
)



Yao’s

protocol


Mostly

symmetric

cryptography


Garbled

circuits not
reusable



Use of
Yao’s

protocol

for
secure

Hamming

distance computation
gives

better

performances
than

homomorphic

encryption


Yan Huang, David Evans, Jonathan Katz,
Lior

Malka:
Faster

Secure
Two
-
Party Computation
Using

Garbled

Circuits. USENIX Security Symposium 2011



Alain Patey / 01/04/2013 / WAHC'13

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

19

/

SHADE

Alain Patey / 01/04/2013 / WAHC'13

20

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

TOWARDS

SHADE


Garbled

Circuits are
big
,
even

for the simple
Hamming

distance circuit


e
g

>120 KB
bandwidth

required

for 2048
-
bit
Hamming

distance


When

using

Yao’s

protocol
,
sender’s

inputs to the
OT’s

are
independent

of
the
actual

inputs X and Y


Ideas
:


Get

rid

of
garbled

circuits


Adapt

the inputs of the
OT’s

such

that


1.
they

are
linked

to the
sender’s

bit
-
string

2.
t
he output of the
i
th

OT
is

linked

to
xi

yi


Input of the server: (r
i

+ x
i
, r
i
+(1
-
x
i
))


Input of the client: y
i


Output of the client: r
i

+
x
i

y
i


Alain Patey / 01/04/2013 / WAHC'13

21

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

PROTOCOL

Alain Patey / 01/04/2013 / WAHC'13

Server: X = (x
1
,…,
x
n
)

Client:
Y

= (y
1
,…,
y
n
)

OT
1
2

Input: (
r
i
+x
i
, r
i
+(x
i

1))




Input: y
i


Output:






Output: t
i

=r
i
+(
x
i

y
i
)


Compute

R=
Σ

r
i

Compute

T
=
Σt
i

(=R+HD(X,Y))

For i=1,…,n:

R

T

Output T
-
R = HD(X,Y)

Output T
-
R = HD(X,Y)

1st option

2nd option

Oblivious

Transfer

Select
random

r
1
,…,r
n

22

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

REMARKS


Overall

cost
: n
OT’s



Privacy

ensured

in the semi
-
honest

model



Extension to
several

dH
(
X,Y
j
)
at

the
same

time


Biometric

1 vs N
-

identification



Applicable to
any

function

of the
form
:


F(X,Y) = ∑
λ
i

f
i
(
x
i
,y
i
)


F(X,Y) = ∏f(
x
i
,y
i
)

Alain Patey / 01/04/2013 / WAHC'13

23

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

COMPARISON

TO
PREVIOUS

SOLUTIONS


After

preprocessing
,
including

optimizations

Alain Patey / 01/04/2013 / WAHC'13

HE

Yao

SHADE

24

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

COMPUTATION TIME


Comparison

to
Yao’s

protocol








For 900 bits:


HE: ~310 ms


Yao: ~20 ms


SHADE: ~8 ms

Alain Patey / 01/04/2013 / WAHC'13

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

25

/

The
fully
-
secure

scheme

(
security

against

malicious

adversaries
)

SHADE

Alain Patey / 01/04/2013 / WAHC'13

26

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

COMMITTED

OBLIVIOUS

TRANSFER



Alain Patey / 01/04/2013 / WAHC'13

Sender

Receiv
er

Inputs:

-

strings X
0

and X
1


-

random

values r
0
,r
1

Inputs:

-

bit b


-

random

value r

Common Inputs: Com(X
0
,r
0
);
Com(
X
1
,r
1
);
Com
(
b,r
)

Output:

-

X
b


-

random

value u

Common Output: Com(
X
b
,u
)

Kiraz
, M.S.,
Schoenmakers
, B.,
Villegas
, J.:
Efficient
committed

oblivious

transfer

of
bit strings. In: ISC
.
(2007)

Output:



27

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

HOMOMORPHIC

COMMITMENT


Additively

homomorphic

commitment
:


Com(x
1
, r
1
) . Com(x
2
,r
2
) = Com(x
1
+x
2
, r
1
+r
2
)



Zero
-
knowledge

proofs
:


Proof
that

a
commitment

c
commits

to
either

x
1

or x
2


Here
: proof
that

committed

value
is

a bit (0 or 1)



Proof
that

two

committed

values
differ

by 1



Instantiation

using

Paillier

or
ElGamal

cryptosystem



Alain Patey / 01/04/2013 / WAHC'13

28

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

FULLY

SECURE

SCHEME



1
ST

STEP
:
COMMITMENT

AND
PROOFS

OF
CONSISTENCY

Alain Patey / 01/04/2013 / WAHC'13

Server: X = (x
1
,…,
x
n
)

Client:
Y

= (y
1
,…,
y
n
)


Pick

random

values χ
1
,…,
χ
n


Compute

and
publish

Com(
y
i

i
), i=1…n


Prove

that

committed

values
are bits


Pick

random

values
α
1
,…,α
n

1
,…,β
n
,r
1
,…,r
n


Compute

and
publish
,
for i
=1…
n


A
i
=Com(
ri+xi
, α
i
)


B
i
=Com(r
i

+ (1
-
x
i
),β
i
)


Prove

that

committed

values
differ

by 1

Common:
-

A
i
=Com
(a,
α
i
)

-
B
i
=Com
(b
i
,
β
i
)

-
Com(
y
i

i
)

Server:
-

x
i

-
r
i

; a
i
=
r
i
+x
i

; b
i

= r
i

+ (1
-
x
i
)

-
α
i

;
β
i

Client:
-

y
i

-

χ
i

29

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

FULLY

SECURE

SCHEME



2
ND

STEP
:
COMMITTED

OBLIVIOUS

TRANSFERS

Alain Patey / 01/04/2013 / WAHC'13

Common:
-

A
i
=Com
(a,
α
i
)

-
B
i
=Com
(b
i
,
β
i
)

-
Com(
y
i

i
)

Server:
-

x
i

-
r
i

; a
i
=
r
i
+x
i

; b
i

= r
i

+ (1
-
x
i
)

-
α
i

;
β
i

Client:
-

y
i

-

χ
i

n
Committed

oblivious

transfers

Output:

-

t
i

= r
i

+ (
x
i

y
i
)


-

random

values
𝜏
i

Common Output: C
i
=Com(t
i
,
𝜏
i
)

30

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

FULLY

SECURE

SCHEME



3
RD

STEP
:
HAMMING

DISTANCE COMPUTATION (1
ST

OPTION)

Alain Patey / 01/04/2013 / WAHC'13

Common:
-

A
i
=Com
(a,
α
i
)

-
B
i
=Com
(b
i
,
β
i
)

-
C
i
=Com(t
i
,
𝜏
i
)

Server:

-

r
i

; a
i
=
r
i
+x
i

; b
i

= r
i

+ (1
-
x
i
)

-

α
i

;
β
i

Client:

-
t
i

= r
i

+ (
x
i

y
i
)

-
𝜏
i

Compute

R = r
1

+ …+r
n

Compute

T

= t
1

+ …+
t
n

Compute

K = Com(2R+n,
∑(α
i

+ β
i
))

R + proof
that

K
commits

to 2R+n

Compute

K = A
1
…A
n
B
1

B
n

Check the proof

Output T
-
R=
dH
(X,Y)

Same

mechanisms

for
2
nd

option

31

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

CONCLUSION


Most efficient
secure

Hamming

distance computation in the semi
-
honest

model


Applicable to
any

linear

combination

of bit
-
wise

independent

functions



Non
-
reusable


like

garbled

circuits


unlike

homomorphic

encryption



Adaptation to the
malicious

model


Using

additive
homomorphic

encryption

and
zero
-
knowledge



Applications to
secure

image/signal
processing


In
particular
,
biometric

identification

Alain Patey / 01/04/2013 / WAHC'13

32

/

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.

THANK

YOU

FOR
YOUR

ATTENTION



Questions ?

Alain Patey / 01/04/2013 / WAHC'13