Foundations of Privacy

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 10 months ago)

64 views

Foundations of Privacy


Lecture 2



Lecturer:

Moni

Naor

Planned Topics

Privacy of Data Analysis


Differential Privacy


Definition and Properties


Statistical databases


Dynamic data


Privacy of learning
algorithms


Privacy of genomic data

Interaction with cryptography


SFE


Voting


Entropic Security


Data Structures


Everlasting Security


Privacy Enhancing Tech.


Mixed nets


Course Information

Foundation
of Privacy


-

Spring 2012

Instructor:
Moni

Naor

When:


Sundays
,
16:00
-
-
18:00
(2 points)

Where:


Ziskind

1



Course web page
:
www.wisdom.weizmann.ac.il/~
naor/COURSE/foundations_of_privacy.html



Prerequisites:

familiarity with algorithms, data structures, probability theory, and linear
algebra, at an
undergraduate

level; a basic course in computability is assumed.



Requirements
:


Participation in discussion in
class


Best: read the papers ahead of
time


Homework
: There will be several

homework assignments


Homework assignments should be turned in on time (usually

two weeks

after they are
given)!


Class Project and presentation


Exam
:

none planned

Office:
Ziskind

248

Phone:

3701

E
-
mail:

moni.naor
@

Projects


Report on a paper


Apply a notion studied to some known domain


Checking the state of privacy is some setting

Cryptography and Privacy

Extremely relevant
-

but does not solve the privacy problem

Secure
function Evaluation


How to
distributively

compute a function

f(X
1
, X
2
, …,
X
n
)
,



where
X
j

known to party
j
.


E.g.,


= sum(
a,b,c
, …)


Parties should only learn
final
output (

)


Many results depending on


Number of players


Means of communication


T
he
power and model of the adversary


H
ow
the function is represented

More worried what to compute


than how to compute

Example: Securely Computing Sums

X
1

X
2

X
3

X
4

X
5

0


X
i



P
-
1.
Want to compute


X
i


Party
1

selects
r
2
R

[0..P
-
1].
Sends
Y
1

= X
1
+r

Party
i

received
Y
i
-
1

and sends
Y
i

=
Y
i
-
1
+ X
i


Party
1

received
Y
n

and
announces







X
i
=
Y
n
-
r





Y
1


Y
2


Y
3


Y
4


Y
5




mod P

Is this Protocol Secure?


To talk rigorously about cryptographic security:


Specify
the Power of the Adversary


Access to the
data/system


Computational power?



“Auxiliary” information
?


Define a Break of the System


What is compromise


What is a “win” for the adversary?


If it controls two

players
-

insecure

Can

be all

powerful here

The Simulation Paradigm

A protocol is considered secure if:


For every
adversary

(of a certain type)


There exists a
simulator

that outputs an
indistinguishable

``transcript” .


Examples:


Encryption


Zero
-
knowledge


Secure function evaluation

Power of analogy

SFE: Simulating the ideal model

A protocol is considered secure if:


For every

adversary

there exists a
simulator

operating in the ``ideal” (trusted party) model that
outputs an indistinguishable transcript.



Major
result
: “
Any function f that can be evaluated
using polynomial resources can be securely
evaluated using polynomial resources


Breaking = distinguishing!

Honest but curious model


Parties follow the protocol


Never erase information



General principle: design you protocol assuming the
players are honest
-
but
-
curious


Translate the protocol into one resilient against
malicious players


Use zero
-
knowledge (POK) for all language in
NP

as a
compiler

Secure Function Evaluation (SFE)


Major and exciting topic of research in last quarter
century


How to distributively compute a function
f(X
1
, X
2
,

…,X
n
)
,



where
X
j

known to party
j
.


Parties learn only the final output


The Millionaires Problem

Alice

x

Whose value is greater?

Bob

y

Leak no other information!

Ideal Solution for

the Millionaires Problem

TrustMe

y

x

Well ...

Alice

x

Bob

y

Secure Function Evaluation

(Informal) Definition



For any adversary there is a comparable one
working in the Ideal Model with
similar

output

Or

A protocol is secure if it

emulates the
ideal solution

Second Price Auctions
-

Vickrey

So why isn’t it more popular?

Sealed bid, second price auction:


Winner is the
highest

bidder, pays
second

highest

bid


Why?


Bidding true value is a
dominant (and simple) strategy


Single round simulation of the

English auction


Problems with applying the Revelation Principle


Utility functions (value of item) contain
sensitive

information


Participants might cheat simply to avoid leaking this
information

Hal Varian:

“Even if current information can be safeguarded, records of
past behavior can be extremely valuable, since historical data can be used
to estimate the willingness to pay”


“...what should be the appropriate
technological

and social safeguards to
deal with this problem?”


This lecture:
technological

safeguards via cryptography


f(X
1
, X
2
,

…,X
n
) = (i, x
j
)
,

where

x
i

= max
k

x
k

and

x
j

= max
k


i

x
k

Major Result [Yao,GMW]



Any function
f

that can be evaluated

using polynomial resources can

be securely evaluated using

polynomial resources”


SFE


Many results depending on


Number of players


Means of communication


the power and model of the adversary


how the function is represented

Simulation

A protocol is considered secure if:


For every
adversary

(of a certain type)


There exists a
simulator

that outputs an
indistinguishable ``transcript” .

Example:


Encryption


Zero
-
knowledge


Next: secure function evaluation

Simulating the ideal model

A protocol is considered secure if:


For every
adversary

there exists a
simulator

operating in the ``ideal (trusted party) model that
outputs an indistinguishable ``transcript” .



1
-
out
-
of
2
Oblivious Transfer

Learns

nothing

Y
j

Alice

j

Bob


Y
0
, Y
1



Chooser

Sender

Implementations of OT
1
2


Can be based on most public
-
key systems


There are implementations with two rounds of
communication

Oblivious Transfer


1
-
out
-
of
-
N OT




{0,1,…,N
-
1
}

m
0
,…,m
N
-
1

m




Input:

Output:

The parties learn nothing else:


Indistinguishable to
Sender

which


is used


Chooser

learns no other value of
m
0
,…,m
N
-
1


Precise definition?

Sender

Chooser

The EGL paradigm for OT
1
2

PK
0
,PK
1

and
proof

that she

knows only one private key

E
PK
0
(m
0
), E
PK
1
(m
1
)

Sender

Chooser

m
0
,m
1




{
0
,
1
}

The Bellare
-
Micali Protocol




{0,1}

m
0
,m
1

Picks a private key

k
, sends

PK


=g
k
, PK
1
-


=C/PK



E

(m
0
)=(g
r
0
, H[(PK
0
)
r
0
]


m
0
)

E

(m
1
)=(g
r
1
, H[(PK
1
)
r
1

]


m
1
)

Random
C

in the group


Decrypts

m


using
k

Sender

Chooser

Picks random


r
0
, r
1


Properties


Chooser is protected information
-
theoretically:

PK
0

and
PK
1

are random elements in the group such that

PK
0
¢

PK
1

=C




Chooser cannot know both
log
g

PK
0

and
log
g

PK
1



This implies knowing
log
g

C


If Chooser knows
PK

:
then
(PK
1
-

)
r
1
-


is an unknown
Diffie
-
Hellman value

Therefore
m
1
-


is computationally protected

Idea


Chooser gives two ciphertexts
-

a
good

and a
bad one
-

and proves consistency


Here: make it trivial to verify


Sender
randomizes
ciphertexts


Good

ciphertext remains consistent


Bad ciphertext
-

maps to random value


Based on random self
-
reducibility of DDH

The OT protocol


Chooser defines
x=g
a
, y=g
b
, z


=g
ab

and

z
1
-




z




Sends
(
x,y,z
0,
z
1
)

to sender.


note that
z


=x
b

and

y=g
b


Sender


Chooses random
(r
0
,s
0
), (r
1
,s
1
).


Computes
w
0
= x
s
0

.
g
r
0

and
w
1
= x
s
1
.
g
r
1


encrypts
m
0

with
z
0
s
0
.
y
r
0

and
m
1

with
z
1
s
1

.
y
r
1


Sends
w
0
,w
1

and encryptions.


Chooser recovers key as
(w

)
b
, decrypts
m


.

The OT protocol: Properties


Security:


Chooser
: DDH assumption implies that
sender

cannot distinguish between
z


=g
ab

and
z
1
-

.


Sender
: If
z
1
-




g
ab


given
(m
1
-


, w
1
-


)


then
z
1
-


s
1
-


.
y
r
1
-


is uniformly distributed.


Overhead:
O(1)

exponentiations.


Generalization to
OT
1
N


without increasing
chooser’s complexity.

Question: how to
do

Secret Sharing

Threshold Secret Sharing

-

how to split a secret
S

into
N

shares so that


No

k
-
1

shares yield any information about

the secret

S


Any

k

shares sufficient to reconstruct the secret

Best known example
: Shamir’s polynomials based
scheme.


Simplest example
2
out
-
of
2
: choose random

S
1

and let

S
2
= S
©

S
1


Two party Computation

Two party protocol


Input:


Sender: Function
P

(some representation)


Receiver:

X
2

0,1

n



Output:


Receiver:


P(x)

and nothing else about
P


Sender: nothing about

x

Representations of
P


Boolean circuits [Yao,GMW,…]


Algebraic circuits [BGW,…]


Low deg polynomials [BFKR]


Matrices product over a large field [FKN,IK]


Randomizing polynomials [IK]


Communication Complexity Protocol [NN]

Garbling
P


Input: description of
P

as a Boolean circuit
C

over
basis
B


Output:


Garbled circuit
C

-

tables



Pairs of garbled inputs


I
1
0
, I
1
1

,

I
2
0
, I
2
1


, …,

I
n
0
, I
n
1




Pairs of Garbled outputs


Z
1
0
, Z
1
1

,

Z
2
0
, Z
2
1

, …,

Z
n
0
, Z
n
1


Garbling Requirements

For
X
2


0
,
1

n

and

Y
=
P
(x)

Given


C

-

tables



Selection by
X

of garbled inputs
X

= (x
1
, x
2
, … x
n
)


I
1
x
1
,

I
2
x
2
,

, I
n
x
n





Possible to compute selection by
y

= (y
1
, y
2
, … y
n
)



Z
1
y
1
, Z
2
y
2
,


, Z
n
y
n



Impossible to deduce anything about
x

or
y

Sender and Receiver
share

the output

Garbling

We construct the garbled circuit


Gate by gate


Some topological sort (from inputs to outputs)


Start by choosing random values for inputs


I
1
0
, I
1
1

,

I
2
0
, I
2
1

, …

I
n
0
, I
n
1




Let
F
W
: {0,1}
2|C|



{0,1}
n+1
Let be a pseudo
-
random
function.
|W| =n

Garbled Circuits


Original circuit

i

j

k

G
1

l

m

n

G
2

out

G
3

i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1


G
1

l

m

n

W
l
0
,W
l
1

W
m
0
,W
m
1

W
n
0
,W
n
1

G
2

out

W
out
0
,W
out
1

G
3

Garbled Circuits

Garbled values for wires

Assign

random pairs for

each wire

Assign random “permutation”



:

0,1





0,1


for each gate

Tables for a Gate


b
i
,

b
j

are the true values


c
i
,

c
j

permutated values


b
k
=G
(b
i
, b
j
)


If we know
(c
i
,
W
i
b
i
)

and
(c
j
,
W
j
b
j
)


want to know
(c
k
, W
k
b
k
)



i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1

G

Typical entry:

[
(c
k
,
W
k
G(b
i
,b
j
)
)
+F
W
i
b
i
(c
j
,k) + F
W
j
b
j
(c
i
,
k)]


Translation table for an OR gate

i

j

k

W
i
0
,W
i
1

W
j
0
,W
j
1

W
k
0
,W
k
1

G

Encrypt

(


k
(b
i
,b
j
), W
k
G(b
i
,b
j
)
)

with

W
i
b
i
, W
j
b
j

Sender constructs a
translation table from input
values to output values

Bi
Bj
Table entry
0
1
ENC

W
i
0
,
W
j
1
(W
k
1
)
1
0
ENC

W
i
1
,
W
j
0
(W
k
1
)
1
1
ENC

W
i
1
,
W
j
1
(W
k
1
)
0
0
ENC

W
i
0
,
W
j
0
(W
k
0
)

The protocol


Initialization:


For every wire
, Sender assigns random (garbled)
values to the
0
/
1

values


For every gate
, Sender constructs a table,

s.t.


given
garbled values of input wires

enables to compute
garbled values of output wire

and
nothing else




Computation:

receiver
obtains

garbled values of input
wires of circuit, and propagates them to the output wires

Choosing the garbled Inputs


For each
1


j


n

run a 1
-
out
-
of
-
2 OT where


Sender
:

I
j
0
, I
j
1



Receiver

:
X
j


Sender

provides the
receiver



The gates tables,


A translation table from garbled output values.


Receiver

computes result of
P
(x)


The Problem with SFE

SFE does not imply privacy:


The problem is with
ideal

model


E.g.,


= sum(
a,b
)


Each player learns only what can be deduced from


and her own input to
f


if


and
a

yield
b
, so be it.


Need ways of talking about leakage even in the ideal
model