# Foundations of Privacy

AI and Robotics

Nov 21, 2013 (4 years and 7 months ago)

75 views

Foundations of Privacy

Lecture 2

Lecturer:

Moni

Naor

Planned Topics

Privacy of Data Analysis

Differential Privacy

Definition and Properties

Statistical databases

Dynamic data

Privacy of learning
algorithms

Privacy of genomic data

Interaction with cryptography

SFE

Voting

Entropic Security

Data Structures

Everlasting Security

Privacy Enhancing Tech.

Mixed nets

Course Information

Foundation
of Privacy

-

Spring 2012

Instructor:
Moni

Naor

When:

Sundays
,
16:00
-
-
18:00
(2 points)

Where:

Ziskind

1

Course web page
:
www.wisdom.weizmann.ac.il/~
naor/COURSE/foundations_of_privacy.html

Prerequisites:

familiarity with algorithms, data structures, probability theory, and linear
algebra, at an

level; a basic course in computability is assumed.

Requirements
:

Participation in discussion in
class

time

Homework
: There will be several

homework assignments

Homework assignments should be turned in on time (usually

two weeks

after they are
given)!

Class Project and presentation

Exam
:

none planned

Office:
Ziskind

248

Phone:

3701

E
-
mail:

moni.naor
@

Projects

Report on a paper

Apply a notion studied to some known domain

Checking the state of privacy is some setting

Cryptography and Privacy

Extremely relevant
-

but does not solve the privacy problem

Secure
function Evaluation

How to
distributively

compute a function

f(X
1
, X
2
, …,
X
n
)
,

where
X
j

known to party
j
.

E.g.,

= sum(
a,b,c
, …)

Parties should only learn
final
output (

)

Many results depending on

Number of players

Means of communication

T
he
power and model of the adversary

H
ow
the function is represented

More worried what to compute

than how to compute

Example: Securely Computing Sums

X
1

X
2

X
3

X
4

X
5

0

X
i

P
-
1.
Want to compute

X
i

Party
1

selects
r
2
R

[0..P
-
1].
Sends
Y
1

= X
1
+r

Party
i

Y
i
-
1

and sends
Y
i

=
Y
i
-
1
+ X
i

Party
1

Y
n

and
announces

X
i
=
Y
n
-
r

Y
1

Y
2

Y
3

Y
4

Y
5

mod P

Is this Protocol Secure?

To talk rigorously about cryptographic security:

Specify

data/system

Computational power?

“Auxiliary” information
?

Define a Break of the System

What is compromise

What is a “win” for the adversary?

If it controls two

players
-

insecure

Can

be all

powerful here

A protocol is considered secure if:

For every

(of a certain type)

There exists a
simulator

that outputs an
indistinguishable

``transcript” .

Examples:

Encryption

Zero
-
knowledge

Secure function evaluation

Power of analogy

SFE: Simulating the ideal model

A protocol is considered secure if:

For every

there exists a
simulator

operating in the ``ideal” (trusted party) model that
outputs an indistinguishable transcript.

Major
result
: “
Any function f that can be evaluated
using polynomial resources can be securely
evaluated using polynomial resources

Breaking = distinguishing!

Honest but curious model

Never erase information

General principle: design you protocol assuming the
players are honest
-
but
-
curious

Translate the protocol into one resilient against
malicious players

Use zero
-
knowledge (POK) for all language in
NP

as a
compiler

Secure Function Evaluation (SFE)

Major and exciting topic of research in last quarter
century

How to distributively compute a function
f(X
1
, X
2
,

…,X
n
)
,

where
X
j

known to party
j
.

Parties learn only the final output

The Millionaires Problem

Alice

x

Whose value is greater?

Bob

y

Leak no other information!

Ideal Solution for

the Millionaires Problem

TrustMe

y

x

Well ...

Alice

x

Bob

y

Secure Function Evaluation

(Informal) Definition

For any adversary there is a comparable one
working in the Ideal Model with
similar

output

Or

A protocol is secure if it

emulates the
ideal solution

Second Price Auctions
-

Vickrey

So why isn’t it more popular?

Sealed bid, second price auction:

Winner is the
highest

bidder, pays
second

highest

bid

Why?

Bidding true value is a
dominant (and simple) strategy

Single round simulation of the

English auction

Problems with applying the Revelation Principle

Utility functions (value of item) contain
sensitive

information

Participants might cheat simply to avoid leaking this
information

Hal Varian:

“Even if current information can be safeguarded, records of
past behavior can be extremely valuable, since historical data can be used
to estimate the willingness to pay”

“...what should be the appropriate
technological

and social safeguards to
deal with this problem?”

This lecture:
technological

safeguards via cryptography

f(X
1
, X
2
,

…,X
n
) = (i, x
j
)
,

where

x
i

= max
k

x
k

and

x
j

= max
k

i

x
k

Major Result [Yao,GMW]

Any function
f

that can be evaluated

using polynomial resources can

be securely evaluated using

polynomial resources”

SFE

Many results depending on

Number of players

Means of communication

the power and model of the adversary

how the function is represented

Simulation

A protocol is considered secure if:

For every

(of a certain type)

There exists a
simulator

that outputs an
indistinguishable ``transcript” .

Example:

Encryption

Zero
-
knowledge

Next: secure function evaluation

Simulating the ideal model

A protocol is considered secure if:

For every

there exists a
simulator

operating in the ``ideal (trusted party) model that
outputs an indistinguishable ``transcript” .

1
-
out
-
of
2
Oblivious Transfer

Learns

nothing

Y
j

Alice

j

Bob

Y
0
, Y
1

Chooser

Sender

Implementations of OT
1
2

Can be based on most public
-
key systems

There are implementations with two rounds of
communication

Oblivious Transfer

1
-
out
-
of
-
N OT

{0,1,…,N
-
1
}

m
0
,…,m
N
-
1

m

Input:

Output:

The parties learn nothing else:

Indistinguishable to
Sender

which

is used

Chooser

learns no other value of
m
0
,…,m
N
-
1

Precise definition?

Sender

Chooser

1
2

PK
0
,PK
1

and
proof

that she

knows only one private key

E
PK
0
(m
0
), E
PK
1
(m
1
)

Sender

Chooser

m
0
,m
1

{
0
,
1
}

The Bellare
-
Micali Protocol

{0,1}

m
0
,m
1

Picks a private key

k
, sends

PK

=g
k
, PK
1
-

=C/PK

E

(m
0
)=(g
r
0
, H[(PK
0
)
r
0
]

m
0
)

E

(m
1
)=(g
r
1
, H[(PK
1
)
r
1

]

m
1
)

Random
C

in the group

Decrypts

m

using
k

Sender

Chooser

Picks random

r
0
, r
1

Properties

Chooser is protected information
-
theoretically:

PK
0

and
PK
1

are random elements in the group such that

PK
0
¢

PK
1

=C

Chooser cannot know both
log
g

PK
0

and
log
g

PK
1

This implies knowing
log
g

C

If Chooser knows
PK

:
then
(PK
1
-

)
r
1
-

is an unknown
Diffie
-
Hellman value

Therefore
m
1
-

is computationally protected

Idea

Chooser gives two ciphertexts
-

a
good

and a
-

and proves consistency

Here: make it trivial to verify

Sender
randomizes
ciphertexts

Good

ciphertext remains consistent

-

maps to random value

Based on random self
-
reducibility of DDH

The OT protocol

Chooser defines
x=g
a
, y=g
b
, z

=g
ab

and

z
1
-

z

Sends
(
x,y,z
0,
z
1
)

to sender.

note that
z

=x
b

and

y=g
b

Sender

Chooses random
(r
0
,s
0
), (r
1
,s
1
).

Computes
w
0
= x
s
0

.
g
r
0

and
w
1
= x
s
1
.
g
r
1

encrypts
m
0

with
z
0
s
0
.
y
r
0

and
m
1

with
z
1
s
1

.
y
r
1

Sends
w
0
,w
1

and encryptions.

Chooser recovers key as
(w

)
b
, decrypts
m

.

The OT protocol: Properties

Security:

Chooser
: DDH assumption implies that
sender

cannot distinguish between
z

=g
ab

and
z
1
-

.

Sender
: If
z
1
-

g
ab

given
(m
1
-

, w
1
-

)

then
z
1
-

s
1
-

.
y
r
1
-

is uniformly distributed.

O(1)

exponentiations.

Generalization to
OT
1
N

without increasing
chooser’s complexity.

Question: how to
do

Secret Sharing

Threshold Secret Sharing

-

how to split a secret
S

into
N

shares so that

No

k
-
1

the secret

S

Any

k

shares sufficient to reconstruct the secret

Best known example
: Shamir’s polynomials based
scheme.

Simplest example
2
out
-
of
2
: choose random

S
1

and let

S
2
= S

S
1

Two party Computation

Two party protocol

Input:

Sender: Function
P

(some representation)

X
2

0,1

n

Output:

P(x)

P

x

Representations of
P

Boolean circuits [Yao,GMW,…]

Algebraic circuits [BGW,…]

Low deg polynomials [BFKR]

Matrices product over a large field [FKN,IK]

Randomizing polynomials [IK]

Communication Complexity Protocol [NN]

Garbling
P

Input: description of
P

as a Boolean circuit
C

over
basis
B

Output:

Garbled circuit
C

-

tables

Pairs of garbled inputs

I
1
0
, I
1
1

,

I
2
0
, I
2
1

, …,

I
n
0
, I
n
1

Pairs of Garbled outputs

Z
1
0
, Z
1
1

,

Z
2
0
, Z
2
1

, …,

Z
n
0
, Z
n
1

Garbling Requirements

For
X
2

0
,
1

n

and

Y
=
P
(x)

Given

C

-

tables

Selection by
X

of garbled inputs
X

= (x
1
, x
2
, … x
n
)

I
1
x
1
,

I
2
x
2
,

, I
n
x
n

Possible to compute selection by
y

= (y
1
, y
2
, … y
n
)

Z
1
y
1
, Z
2
y
2
,

, Z
n
y
n

x

or
y

share

the output

Garbling

We construct the garbled circuit

Gate by gate

Some topological sort (from inputs to outputs)

Start by choosing random values for inputs

I
1
0
, I
1
1

,

I
2
0
, I
2
1

, …

I
n
0
, I
n
1

Let
F
W
: {0,1}
2|C|

{0,1}
n+1
Let be a pseudo
-
random
function.
|W| =n

Garbled Circuits

Original circuit

i

j

k

G
1

l

m

n

G
2

out

G
3

i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1

G
1

l

m

n

W
l
0
,W
l
1

W
m
0
,W
m
1

W
n
0
,W
n
1

G
2

out

W
out
0
,W
out
1

G
3

Garbled Circuits

Garbled values for wires

Assign

random pairs for

each wire

Assign random “permutation”

:

0,1

0,1

for each gate

Tables for a Gate

b
i
,

b
j

are the true values

c
i
,

c
j

permutated values

b
k
=G
(b
i
, b
j
)

If we know
(c
i
,
W
i
b
i
)

and
(c
j
,
W
j
b
j
)

want to know
(c
k
, W
k
b
k
)

i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1

G

Typical entry:

[
(c
k
,
W
k
G(b
i
,b
j
)
)
+F
W
i
b
i
(c
j
,k) + F
W
j
b
j
(c
i
,
k)]

Translation table for an OR gate

i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1

G

Encrypt

(

k
(b
i
,b
j
), W
k
G(b
i
,b
j
)
)

with

W
i
b
i
, W
j
b
j

Sender constructs a
translation table from input
values to output values

Bi
Bj
Table entry
0
1
ENC

W
i
0
,
W
j
1
(W
k
1
)
1
0
ENC

W
i
1
,
W
j
0
(W
k
1
)
1
1
ENC

W
i
1
,
W
j
1
(W
k
1
)
0
0
ENC

W
i
0
,
W
j
0
(W
k
0
)

The protocol

Initialization:

For every wire
, Sender assigns random (garbled)
values to the
0
/
1

values

For every gate
, Sender constructs a table,

s.t.

given
garbled values of input wires

enables to compute
garbled values of output wire

and
nothing else

Computation:

obtains

garbled values of input
wires of circuit, and propagates them to the output wires

Choosing the garbled Inputs

For each
1

j

n

run a 1
-
out
-
of
-
2 OT where

Sender
:

I
j
0
, I
j
1

:
X
j

Sender

provides the

The gates tables,

A translation table from garbled output values.

computes result of
P
(x)

The Problem with SFE

SFE does not imply privacy:

The problem is with
ideal

model

E.g.,

= sum(
a,b
)

Each player learns only what can be deduced from

and her own input to
f

if

and
a

yield
b
, so be it.

Need ways of talking about leakage even in the ideal
model