Foundations of Privacy
Lecture 2
Lecturer:
Moni
Naor
Planned Topics
Privacy of Data Analysis
•
Differential Privacy
–
Definition and Properties
–
Statistical databases
–
Dynamic data
•
Privacy of learning
algorithms
•
Privacy of genomic data
Interaction with cryptography
•
SFE
•
Voting
•
Entropic Security
•
Data Structures
•
Everlasting Security
•
Privacy Enhancing Tech.
–
Mixed nets
Course Information
Foundation
of Privacy

Spring 2012
Instructor:
Moni
Naor
When:
Sundays
,
16:00


18:00
(2 points)
Where:
Ziskind
1
•
Course web page
:
www.wisdom.weizmann.ac.il/~
naor/COURSE/foundations_of_privacy.html
•
Prerequisites:
familiarity with algorithms, data structures, probability theory, and linear
algebra, at an
undergraduate
level; a basic course in computability is assumed.
•
Requirements
:
–
Participation in discussion in
class
•
Best: read the papers ahead of
time
–
Homework
: There will be several
homework assignments
•
Homework assignments should be turned in on time (usually
two weeks
after they are
given)!
–
Class Project and presentation
–
Exam
:
none planned
Office:
Ziskind
248
Phone:
3701
E

mail:
moni.naor
@
Projects
•
Report on a paper
•
Apply a notion studied to some known domain
•
Checking the state of privacy is some setting
Cryptography and Privacy
Extremely relevant

but does not solve the privacy problem
Secure
function Evaluation
•
How to
distributively
compute a function
f(X
1
, X
2
, …,
X
n
)
,
–
where
X
j
known to party
j
.
•
E.g.,
= sum(
a,b,c
, …)
–
Parties should only learn
final
output (
)
•
Many results depending on
–
Number of players
–
Means of communication
–
T
he
power and model of the adversary
–
H
ow
the function is represented
More worried what to compute
than how to compute
Example: Securely Computing Sums
X
1
X
2
X
3
X
4
X
5
0
∙
X
i
∙
P

1.
Want to compute
X
i
Party
1
selects
r
2
R
[0..P

1].
Sends
Y
1
= X
1
+r
Party
i
received
Y
i

1
and sends
Y
i
=
Y
i

1
+ X
i
Party
1
received
Y
n
and
announces
㴠
X
i
=
Y
n

r
Y
1
Y
2
Y
3
Y
4
Y
5
mod P
Is this Protocol Secure?
To talk rigorously about cryptographic security:
•
Specify
the Power of the Adversary
–
Access to the
data/system
–
Computational power?
–
“Auxiliary” information
?
•
Define a Break of the System
–
What is compromise
–
What is a “win” for the adversary?
If it controls two
players

insecure
Can
be all
powerful here
The Simulation Paradigm
A protocol is considered secure if:
•
For every
adversary
(of a certain type)
There exists a
simulator
that outputs an
indistinguishable
``transcript” .
Examples:
•
Encryption
•
Zero

knowledge
•
Secure function evaluation
Power of analogy
SFE: Simulating the ideal model
A protocol is considered secure if:
•
For every
adversary
there exists a
simulator
operating in the ``ideal” (trusted party) model that
outputs an indistinguishable transcript.
Major
result
: “
Any function f that can be evaluated
using polynomial resources can be securely
evaluated using polynomial resources
”
Breaking = distinguishing!
Honest but curious model
•
Parties follow the protocol
•
Never erase information
•
General principle: design you protocol assuming the
players are honest

but

curious
•
Translate the protocol into one resilient against
malicious players
–
Use zero

knowledge (POK) for all language in
NP
as a
compiler
Secure Function Evaluation (SFE)
•
Major and exciting topic of research in last quarter
century
•
How to distributively compute a function
f(X
1
, X
2
,
…,X
n
)
,
–
where
X
j
known to party
j
.
–
Parties learn only the final output
The Millionaires Problem
Alice
x
Whose value is greater?
Bob
y
Leak no other information!
Ideal Solution for
the Millionaires Problem
TrustMe
y
x
Well ...
Alice
x
Bob
y
Secure Function Evaluation
(Informal) Definition
For any adversary there is a comparable one
working in the Ideal Model with
similar
output
Or
A protocol is secure if it
emulates the
ideal solution
Second Price Auctions

Vickrey
So why isn’t it more popular?
Sealed bid, second price auction:
•
Winner is the
highest
bidder, pays
second
highest
bid
•
Why?
–
Bidding true value is a
dominant (and simple) strategy
–
Single round simulation of the
English auction
Problems with applying the Revelation Principle
–
Utility functions (value of item) contain
sensitive
information
–
Participants might cheat simply to avoid leaking this
information
Hal Varian:
“Even if current information can be safeguarded, records of
past behavior can be extremely valuable, since historical data can be used
to estimate the willingness to pay”
“...what should be the appropriate
technological
and social safeguards to
deal with this problem?”
This lecture:
technological
safeguards via cryptography
f(X
1
, X
2
,
…,X
n
) = (i, x
j
)
,
where
x
i
= max
k
x
k
and
x
j
= max
k
i
x
k
Major Result [Yao,GMW]
“
Any function
f
that can be evaluated
using polynomial resources can
be securely evaluated using
polynomial resources”
SFE
•
Many results depending on
–
Number of players
–
Means of communication
–
the power and model of the adversary
–
how the function is represented
Simulation
A protocol is considered secure if:
•
For every
adversary
(of a certain type)
There exists a
simulator
that outputs an
indistinguishable ``transcript” .
Example:
•
Encryption
•
Zero

knowledge
•
Next: secure function evaluation
Simulating the ideal model
A protocol is considered secure if:
•
For every
adversary
there exists a
simulator
operating in the ``ideal (trusted party) model that
outputs an indistinguishable ``transcript” .
1

out

of
2
Oblivious Transfer
Learns
nothing
Y
j
Alice
j
Bob
Y
0
, Y
1
Chooser
Sender
Implementations of OT
1
2
•
Can be based on most public

key systems
•
There are implementations with two rounds of
communication
Oblivious Transfer
1

out

of

N OT
{0,1,…,N

1
}
m
0
,…,m
N

1
m
Input:
Output:
The parties learn nothing else:
•
Indistinguishable to
Sender
which
is used
•
Chooser
learns no other value of
m
0
,…,m
N

1
Precise definition?
Sender
Chooser
The EGL paradigm for OT
1
2
PK
0
,PK
1
and
proof
that she
knows only one private key
E
PK
0
(m
0
), E
PK
1
(m
1
)
Sender
Chooser
m
0
,m
1
{
0
,
1
}
The Bellare

Micali Protocol
{0,1}
m
0
,m
1
Picks a private key
k
, sends
PK
=g
k
, PK
1

=C/PK
E
(m
0
)=(g
r
0
, H[(PK
0
)
r
0
]
m
0
)
E
(m
1
)=(g
r
1
, H[(PK
1
)
r
1
]
m
1
)
Random
C
in the group
Decrypts
m
using
k
Sender
Chooser
Picks random
r
0
, r
1
Properties
•
Chooser is protected information

theoretically:
PK
0
and
PK
1
are random elements in the group such that
PK
0
¢
PK
1
=C
•
Chooser cannot know both
log
g
PK
0
and
log
g
PK
1
–
This implies knowing
log
g
C
–
If Chooser knows
PK
:
then
(PK
1

)
r
1

is an unknown
Diffie

Hellman value
Therefore
m
1

is computationally protected
Idea
•
Chooser gives two ciphertexts

a
good
and a
bad one

and proves consistency
–
Here: make it trivial to verify
•
Sender
randomizes
ciphertexts
–
Good
ciphertext remains consistent
–
Bad ciphertext

maps to random value
–
Based on random self

reducibility of DDH
The OT protocol
•
Chooser defines
x=g
a
, y=g
b
, z
=g
ab
and
z
1

z
–
Sends
(
x,y,z
0,
z
1
)
to sender.
note that
z
=x
b
and
y=g
b
•
Sender
–
Chooses random
(r
0
,s
0
), (r
1
,s
1
).
–
Computes
w
0
= x
s
0
.
g
r
0
and
w
1
= x
s
1
.
g
r
1
–
encrypts
m
0
with
z
0
s
0
.
y
r
0
and
m
1
with
z
1
s
1
.
y
r
1
–
Sends
w
0
,w
1
and encryptions.
•
Chooser recovers key as
(w
)
b
, decrypts
m
.
The OT protocol: Properties
•
Security:
–
Chooser
: DDH assumption implies that
sender
cannot distinguish between
z
=g
ab
and
z
1

.
–
Sender
: If
z
1

g
ab
given
(m
1

, w
1

)
then
z
1

s
1

.
y
r
1

is uniformly distributed.
•
Overhead:
O(1)
exponentiations.
•
Generalization to
OT
1
N
without increasing
chooser’s complexity.
Question: how to
do
Secret Sharing
Threshold Secret Sharing

how to split a secret
S
into
N
shares so that
–
No
k

1
shares yield any information about
the secret
S
–
Any
k
shares sufficient to reconstruct the secret
Best known example
: Shamir’s polynomials based
scheme.
Simplest example
2
out

of
2
: choose random
S
1
and let
S
2
= S
©
S
1
Two party Computation
Two party protocol
•
Input:
–
Sender: Function
P
(some representation)
–
Receiver:
X
2
0,1
n
•
Output:
–
Receiver:
P(x)
and nothing else about
P
–
Sender: nothing about
x
Representations of
P
•
Boolean circuits [Yao,GMW,…]
•
Algebraic circuits [BGW,…]
•
Low deg polynomials [BFKR]
•
Matrices product over a large field [FKN,IK]
•
Randomizing polynomials [IK]
•
Communication Complexity Protocol [NN]
Garbling
P
•
Input: description of
P
as a Boolean circuit
C
over
basis
B
•
Output:
–
Garbled circuit
C

tables
–
Pairs of garbled inputs
I
1
0
, I
1
1
,
I
2
0
, I
2
1
, …,
I
n
0
, I
n
1
–
Pairs of Garbled outputs
Z
1
0
, Z
1
1
,
Z
2
0
, Z
2
1
, …,
Z
n
0
, Z
n
1
Garbling Requirements
For
X
2
0
,
1
n
and
Y
=
P
(x)
Given
–
C

tables
–
Selection by
X
of garbled inputs
X
= (x
1
, x
2
, … x
n
)
I
1
x
1
,
I
2
x
2
,
…
, I
n
x
n
•
Possible to compute selection by
y
= (y
1
, y
2
, … y
n
)
Z
1
y
1
, Z
2
y
2
,
…
, Z
n
y
n
•
Impossible to deduce anything about
x
or
y
Sender and Receiver
share
the output
Garbling
We construct the garbled circuit
•
Gate by gate
•
Some topological sort (from inputs to outputs)
Start by choosing random values for inputs
I
1
0
, I
1
1
,
I
2
0
, I
2
1
, …
I
n
0
, I
n
1
Let
F
W
: {0,1}
2C
{0,1}
n+1
Let be a pseudo

random
function.
W =n
Garbled Circuits
Original circuit
i
j
k
G
1
l
m
n
G
2
out
G
3
i
j
k
W
i
0
,W
i
1
W
j
0
,W
j
1
W
k
0
,W
k
1
G
1
l
m
n
W
l
0
,W
l
1
W
m
0
,W
m
1
W
n
0
,W
n
1
G
2
out
W
out
0
,W
out
1
G
3
Garbled Circuits
Garbled values for wires
Assign
random pairs for
each wire
Assign random “permutation”
:
0,1
0,1
for each gate
Tables for a Gate
•
b
i
,
b
j
are the true values
•
c
i
,
c
j
permutated values
•
b
k
=G
(b
i
, b
j
)
•
If we know
(c
i
,
W
i
b
i
)
and
(c
j
,
W
j
b
j
)
want to know
(c
k
, W
k
b
k
)
i
j
k
W
i
0
,W
i
1
W
j
0
,W
j
1
W
k
0
,W
k
1
G
Typical entry:
[
(c
k
,
W
k
G(b
i
,b
j
)
)
+F
W
i
b
i
(c
j
,k) + F
W
j
b
j
(c
i
,
k)]
Translation table for an OR gate
i
j
k
W
i
0
,W
i
1
W
j
0
,W
j
1
W
k
0
,W
k
1
G
Encrypt
(
k
(b
i
,b
j
), W
k
G(b
i
,b
j
)
)
with
W
i
b
i
, W
j
b
j
Sender constructs a
translation table from input
values to output values
Bi
Bj
Table entry
0
1
ENC
W
i
0
,
W
j
1
(W
k
1
)
1
0
ENC
W
i
1
,
W
j
0
(W
k
1
)
1
1
ENC
W
i
1
,
W
j
1
(W
k
1
)
0
0
ENC
W
i
0
,
W
j
0
(W
k
0
)
The protocol
•
Initialization:
–
For every wire
, Sender assigns random (garbled)
values to the
0
/
1
values
–
For every gate
, Sender constructs a table,
s.t.
•
given
garbled values of input wires
enables to compute
garbled values of output wire
and
nothing else
•
Computation:
receiver
obtains
garbled values of input
wires of circuit, and propagates them to the output wires
Choosing the garbled Inputs
•
For each
1
∙
j
∙
n
run a 1

out

of

2 OT where
–
Sender
:
I
j
0
, I
j
1
–
Receiver
:
X
j
•
Sender
provides the
receiver
–
The gates tables,
–
A translation table from garbled output values.
•
Receiver
computes result of
P
(x)
The Problem with SFE
SFE does not imply privacy:
•
The problem is with
ideal
model
–
E.g.,
= sum(
a,b
)
–
Each player learns only what can be deduced from
and her own input to
f
–
if
and
a
yield
b
, so be it.
Need ways of talking about leakage even in the ideal
model
Comments 0
Log in to post a comment