Benny Pinkas, Bar-Ilan University Can el elec ecti tions, ons, - - PowerPoint PPT Presentation

Shai Halevi, IBM T.J. Watson Yehuda uda Lindel dell, Bar-Ilan University Benny Pinkas, Bar-Ilan University

 Can el

elec ecti tions,

• ns, auction

ions, , statistic tistical al analysis lysis of distributed parties’ data really be carried out using ing secur ure e computat utation? ion?

 Does

s our r model of secure ure comput utation ation real ally ly model l the needs eds of these se appl plic ication ations?

• And I’m not talking about efficiency concerns…

 In all known

• wn protoco

tocols, ls, all parties rties mu must t interact eract simul ultaneously taneously

 Ar

Arguably guably, , this s is a huge ge obstacl tacle e to adopti ption

• n
• A department wants to carry out a faculty tenure

vote using a secure protocol

 When do they run the protocol?

• A website wishes to securely aggregate statistics

about users

 Each user gives her information only when connected

 Th

The e sec ecure ure comp mput utation ation mo model: el:

 Th

The e rea eal-world world we web mo model: el:

 Can secure

ecure comp mputation utation be e ma made e non- simul ultaneous taneous?

• A natural theoretical question

 Deepens our understanding of the required communication model for secure computation

• Important ramifications to practice

 Especially if this can be done efficiently

 Note: fully homomorphic encryption does not solve the problem

 Pa

Parti ties es

• One server 𝑻
• 𝒐 parties 𝑸𝟐, … , 𝑸𝒐

 Comm

mmunic unication ation mo model el

• Each party interacts with the server exactly

ctly once ce

 In all of our protocols, this interaction is a single message from the server to the party and back, but this is not essential to the model

• At the end, the server obtains the output

 A p

A protoco tocol for this s set etting ting is called ed one e pass ss

 Si

Since e the e protocol

• col is one-pas

pass, s, the e computat utation ion carri ried ed out by 𝑸𝒋+𝟐, … , 𝑸𝒐 and nd 𝑻 is of the resid sidual ual function ction 𝒉𝒋 𝒚𝒋+𝟐, … , 𝒚𝒐 = 𝒈(𝒚𝟐, … , 𝒚𝒋, 𝒚𝒋+𝟐, … , 𝒚𝒐)

 If

If 𝑸𝒋+𝟐, … , 𝑸𝒐 and nd 𝑻 are re all corrup rupted ted and d colluding, ding, they ey can comp mpute ute 𝒉𝒋 𝒚𝒋+𝟐, … , 𝒚𝒐 and d 𝒉𝒋 𝒚′𝒋+𝟐, … , 𝒚′𝒐 and nd so on, on many ny inputs uts

• This is not allowed in classic secure computation

but is inherent herent to the one-pass model

 A

A dec ecomposi mpositi tion

• n of a function

ction 𝒈 𝒚𝟐, … , 𝒚𝒐 is a seri ries es of 𝒐 two wo-inp input func ncti tions

• ns 𝒈𝟐, … 𝒈𝒐 such

uch that t 𝒈𝒐 ⋯ 𝒈𝟑 𝒈𝟐 𝒚𝟐 , 𝒚𝟑 ⋯ 𝒚𝒐 = 𝒈 𝒚𝟐, … , 𝒚𝒐

• In the one-pass setting 𝑸𝒋 (and 𝑻) compute 𝒈𝒋 and

pass on the result

• If 𝑸𝒋+𝟐, … , 𝑸𝒐 and 𝑻 are all corrupted and colluding,

then they learn the value 𝒈𝒋 ⋯ 𝒈𝟑 𝒈𝟐 𝒚𝟐 , 𝒚𝟑 ⋯ 𝒚𝒋

 Ho

How w mu much h does es 𝒈𝒋 ⋯ 𝒈𝟑 𝒈𝟐 𝒚𝟐 , 𝒚𝟑 ⋯ 𝒚𝒋 revea eveal?

 If it reveals

veals nothing hing more e than n wh what can be comp mputed uted by the e res esidual idual functio ction 𝒉𝒋 𝒚𝒋+𝟐, … , 𝒚𝒐 = 𝒈(𝒚𝟐, … , 𝒚𝒋, 𝒚𝒋+𝟐, … , 𝒚𝒐) then n it is minimal al disclo losure sure

 Def

efine ine 𝒈𝟐 𝒚𝟐 = 𝒚𝟐, , 𝒈𝟑 𝒛𝟐, 𝒚𝟑 = 𝒛𝟐, 𝒚𝟑 = (𝒚𝟐, 𝒚𝟑), , and d so on (all are ident ntity ity function ctions), s), and d 𝒈𝒐 = 𝒈

• If 𝑸𝒐 and 𝑻 are corrupted, all is revealed

 Consid

sider er the SUM M function ction and define ne 𝒈𝒋 𝒛𝒋−𝟐, 𝒚𝒋 = 𝒛𝒋−𝟐 + 𝒚𝒋

• Given 𝒛𝒋 can learn nothing more than sum of first 𝒋
• But this is computable from the residual function
• This is minimal disclosure

 We

We follow w the e real eal/ideal /ideal simu mulation lation paradi radigm gm

 Security

urity is formal aliz ized ed as in the stand ndard rd setti ting ng wi with one except ption ion

• If the server is corrupted, then the adversary is

given 𝒈𝒋(𝒚𝟐, … , 𝒚𝒋) where 𝑸𝒋 is the last honest party

 A p

protocol tocol one-pa pass ss secu cure rely ly co compute mputes s a deco compo mpositi sition

• n if there

e exists sts an ideal simula ulator tor such ch that t real and ideal are indistingui stinguisha shabl ble

• The protocol is opti

tima mall lly private vate if the decomposition is minimum disclosure

 Can this

s notion

• n be

e achieved eved?

 If yes,

s,

• Under what assumptions?
• At what cost?

 Bi

Binary ary symm mmetric etric func ncti tions

• ns
• Depend only on Hamming weight of input
• E.g., AND, OR, PARITY, MAJORITY

 Concise

ise truth th table e represent presentatio ation

• Example: the MAJORITY function over 5 bits

Hamming ng Weight ght Outpu put 1 2 3 1 4 1 5 1

In general, this contains the function output

• n the relevant

weight

 Define

ine 𝒛𝟐 = 𝒈𝟐 𝒚𝟐 to be the truth th table, e, wi with the 1st

st row

w erased ased if 𝒚𝟐 = 𝟐 and nd the last t row w er erased ased if 𝒚𝟐 = 𝟏

Hamming ng Weight ght Outpu put 1 2 3 1 4 1 5 1 𝒚𝟐 = 𝟐 𝒚𝟐 = 𝟏

 Define

ine 𝒈𝟑 𝒛𝟐, 𝒚𝟑 to be the trunc uncate ated d truth uth table, e, wi with the last remaining aining row w erased sed if 𝒚𝟑 = 𝟏 and nd the e first st row w er erased ased if 𝒚𝟑 = 𝟐

Hamming ng Weight ght Outpu put 1 2 3 1 4 1 5 1 𝒚𝟑 = 𝟐 𝒚𝟐 = 𝟏

 And so on…

• Note, each truth table can be efficiently computed

from the previous one

• Indeed, the output of 𝑵𝑩𝑲(𝟏𝟐𝟐𝟏𝟏) = 𝟏

Hamming ng Weight ght Outpu put 1 2 3 1 4 1 5 1 𝒚𝟑 = 𝟐 𝒚𝟐 = 𝟏 𝒚𝟒 = 𝟐 𝒚𝟓 = 𝟏 𝒚𝟔 = 𝟏

 Wh

Why is this s minimum mum disclosure

• sure?
• The truth table reveals nothing more than the
• utput of the function on the remaining inputs

 Main

n tool – layer er rerandomi erandomizable zable en encryptio ryption

• Denote 𝑭𝒒𝒍(𝒚; 𝒔) and

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝒚; 𝒔𝟐, … , 𝒔𝒐+𝟐 = 𝑭𝒒𝒍𝟐 ⋯ 𝑭𝒒𝒍𝒐+𝟐 𝒚; 𝒔𝒐+𝟐 ⋯ ; 𝒔𝟐

• This is layer

yer rerandom randomizab izable le if there exists an efficient procedure that rerandomizes all layers (given public keys)

• This can be constructed from any rerandomizable

encryption, and highly ighly effi fici cientl ently y from ElGamal

 Note:

: all protocols

• cols assume

sume PK PKI (essential ssential here) re)

 Se

Server rver 𝑻 en encrypts crypts the e truth th table le under der all parties’ keys ys

• Using rerandomizable layer encryption

 For 𝒋 = 𝟐, … , 𝒐 (bu

but t in any y order er)

• Party 𝑸𝒋 retrieves current truth table from the server
• 𝑸𝒋 removes the first or last remaining row, decrypts

under its key, rerandomizes every entry of the truth table, and sends to 𝑻

 After

r all parti ties es conclude, ude, all that t remai ains ns is a single gle row, w, wh which h is the outpu put

 Majo

jority rity function ction wi with 5 p 5 parti ties es

Hamming ng Weight ght Outpu put 1 2 3 1 4 1 5 1

 Th

The server ver 𝑻 co compute mputes s the encr crypte ypted d co conci cise se truth th table e (𝒒𝒍𝟕 is the server’s public-key key)

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕

 𝑸𝟐 wi

with input ut 𝒚𝟐 = 𝟏 erases erases

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟏; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕

 𝑸𝟐 wi

with input ut 𝒚𝟐 = 𝟏 erases, erases, rem emove ves s its key ey and d rerandom randomizes izes

𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟐; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟐; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟐,…,𝒒𝒍𝟕 𝟐; 𝒔𝟐, … , 𝒔𝟕

𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟏; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟐; 𝒔𝟑, … , 𝒔𝟕 𝑭𝒒𝒍𝟑,…,𝒒𝒍𝟕 𝟐; 𝒔𝟑, … , 𝒔𝟕  𝑸𝟑 wi

with input ut 𝒚𝟑 = 𝟐 erases erases

 𝑸𝟑 wi

with input ut 𝒚𝟑 = 𝟐 erases, erases, rem emove ves s its key ey and d rerandom randomizes izes

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟐; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟐; 𝒔𝟒, … , 𝒔𝟕

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟐; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟐; 𝒔𝟒, … , 𝒔𝟕  𝑸𝟒 wi

with input ut 𝒚𝟒 = 𝟐 erases erases

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟏; 𝒔𝟓, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕  𝑸𝟒 wi

with input ut 𝒚𝟒 = 𝟐 erases, erases, rem emove ves s its key ey and d rerandom randomizes izes

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟏; 𝒔𝟓, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕  𝑸𝟓 wi

with input ut 𝒚𝟓 = 𝟏 erases erases

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟔,𝒒𝒍𝟕 𝟏; 𝒔𝟔, 𝒔𝟕 𝑭𝒒𝒍𝟔,𝒒𝒍𝟕 𝟐; 𝒔𝟔, 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕  𝑸𝟓 wi

with input ut 𝒚𝟓 = 𝟏 erases, erases, rem emove ves s its key ey and d rerandom randomizes izes

𝑭𝒒𝒍𝟐,…,𝒒𝒍𝒐+𝟐 𝟏; 𝒔𝟐, … , 𝒔𝒐+𝟐 𝑭𝒒𝒍𝟒,…,𝒒𝒍𝟕 𝟏; 𝒔𝟒, … , 𝒔𝟕 𝑭𝒒𝒍𝟔,𝒒𝒍𝟕 𝟏; 𝒔𝟔, 𝒔𝟕 𝑭𝒒𝒍𝟔,𝒒𝒍𝟕 𝟐; 𝒔𝟔, 𝒔𝟕 𝑭𝒒𝒍𝟓,…,𝒒𝒍𝟕 𝟐; 𝒔𝟓, … , 𝒔𝟕  A co

A corrupted rupted 𝑸𝟔 colluding uding wi with a corrupted rupted server rver know w that t the first st 4 parti ties es we were divi vided ded eve venly nly, , but nothing ing else

 If serv

erver er is honest, est, no one e lea earns rns anything ything

 If server

rver is corrup rupt, t, it cannot not decryp rypt t anyth ything ing wh which h is still encrypt rypted ed under der an honest nest party’s public-key key

• Security level achieved when last few parties are

corrupted is the same as if they just didn’t participate to start with

 Rerandom

andomizat ization ion ensures sures that t the row w remove ved d is not learned rned

 Each

h party rty comp mputes utes on ave verage rage about ut 𝟒𝒐 𝟑 exponenti

• nentiation

ations

• We can do 𝟐𝟏𝟏𝟏 − 𝟑𝟏𝟏𝟏 exponentiations per second,

making this protocol practical even for thousands of users (unless many come at the same time)

 For malicious

• us adversar

versaries es

• Need to add digital signatures and ZK proofs (these

are just Diffie-Hellman tuple proofs)

• The concrete cost is less than 𝟗𝒐𝟑 (with Fiat-Shamir)
• This is still practical for not too many parties

 About 10 seconds for 40 parties (tenure example)

 Highly

ly eff fficient t optimal mally ly private te proto tocols cols fo for:

• Symmetric functions over ℤ𝒅
• Sum function over large domain
• Selection functions

 A general fe

feasibili lity ty result: t:

• Any decomposition 𝒈𝟐, … , 𝒈𝒐 can be securely

computed, under the DDH assumption (and NIZK for malicious)

• This can be used for any

y decompos mposition ition (minimal or not)

 The actual security derived depends on the decomposition  Minimal is best; if not, then it depends on the application

 Fully

ly interacti ctive ve secure comp mputa tation tion is a proble lem m in practic ice

• A one-pass

pass client/ ent/ser server ver protocol

• col is essential for many

applications, and is also interesting from a theoretical point of view

 Our results

ts

• Introduced the model and definitions
• Studied inherent limitations and use function

decomposition to model this

• Constructed highly efficient and practical protocols exist

for many natural problems in this setting

• Proved general feasibility for any decomposition