Differential Privacy (Part IV) Alice Eve Bob Cryptographic - - PowerPoint PPT Presentation

differential privacy part iv
SMART_READER_LITE
LIVE PREVIEW

Differential Privacy (Part IV) Alice Eve Bob Cryptographic - - PowerPoint PPT Presentation

Oct 21, 2023 340 likes •571 views

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever ending list! essential in distributed systems Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail

slide-1
SLIDE 1

Differential Privacy (Part IV)

slide-2
SLIDE 2

Needham-Schroeder (1996) Microsoft Passport (2001) Kerberos (2004) Public-key Kerberos (2006) DAA (2007,2008) French Electronic Passport (2010) 802.IIi WEP (2001) ISAKMP (2005) SSL (2009,2014,2015)

Flaws hard to spot , proofs hard to get right

Tons of attacks…never ending list! Cryptographic protocols essential in distributed systems…

e-banking e-commerce e-mail e-voting e-passports

  • nline auctions

file sharing social networks

Alice Bob Eve
slide-3
SLIDE 3

Needham-Schroeder (1996) Microsoft Passport (2001) Kerberos (2004) Public-key Kerberos (2006) DAA (2007,2008) French Electronic Passport (2010) 802.IIi WEP (2001) LogJam (2015) SSL (2001,2009) ISAKMP (2005) Heartbleed (2014) Freak (2015) Conceptual flaws in protocol design Cryptographic breaches Implementation mistakes

3 Alice Bob Eve
slide-4
SLIDE 4

Γ⊢m:τ

4

How do we prove a protocol correct?

Call for automated verification techniques, proving end-to-end security guarantees across all three layers (protocol logic, cryptography, implementation)

Type systems particularly well suited

Modular, well-established theory, amenable to automation

slide-5
SLIDE 5

A few recent results in this line of research

F7 F5 AF7 DF7

refinement types refinement types union and intersection types type disjointness affine refinement types affine types authorization policies authorization policies secrecy resource-aware policies differential privacy Security Properties PL Techniques

F*

refinement types monadic reasoning authorization policies proof assistant

If you are curious, have a look at
  • my tutorial at POPL 2016: http://sps.cs.uni-saarland.de/maffei/Talks/popl16.pdf
  • “Dependent Types and Multi-Monadic Effects in F*”, Swamy et al. , POPL’16
slide-6
SLIDE 6

Non-tracking web analytics

  • Threat model: non-colluding, HbC aggregators & malicious publishers
  • Manual proof of differential privacy
  • Further auditing protocol to discover publishers dropping clients’

answers

Client 1

...

Client r Publisher 1 Publisher j

...

Aggregator Client i

...

Publisher s

...

ar ai a1 noise noise noise noise Result for Publisher j:

encpka(qid,ai)

slide-7
SLIDE 7

The snapshot attack

Client 1

...

Client r Publisher 1 Publisher j

...

Aggregator Client i

...

Publisher s

...

ai ai

New attack: ai is counted 4 times ≈ execute query 4 times

ai ai

We are going to see how to formally and automatically prove differential privacy properties in distributed systems by a type system

slide-8
SLIDE 8

DDP: definition

  • Consider protocol as a query
  • PD denotes protocol P on database D
  • Attacker is given access to query function (protocol)
  • O(PD) denotes attacker interacting with PD
  • Given two similar databases D,D‘:
  • if no attacker can distinguish between query on D and query
  • n D‘, then the query is differentially private

A randomized function is ✏-differentially private iff A protocol P for all databases D, D0such that D ∼ D0 and every set S

  • pponent O

Pr[ f(D) ∈ S ] ≤ e✏ · Pr[ f(D0) ∈ S ] O(PD)=1 O(PD’)=1

slide-9
SLIDE 9

Sneak Peek into our Type System

  • As shown in [Reed & Pierce ICFP’10, Gaboardi et al. POPL’12]:
  • if each value is used at most k times, then query k-sensitive
  • linear type systems track how often a sensitive value is used
  • Enforcing linearity in distributed setting hard (because attacker

can replay/duplicate values!)

  • Our type system:
  • checks whether each value of database is used at most k times
  • before releasing query results to the attacker, they must be

sanitized with the special primitive add_noise(s) for noise addition (e.g, Lap(s))

if s = k/ε and protocol has type !kτ→!∞R then protocol ε-differentially private

slide-10
SLIDE 10

Syntax of the language

slide-11
SLIDE 11

Semantics of the language

slide-12
SLIDE 12

Types

  • !k int : integer that can be used at most k times
  • public data are given types of the form !∞Φ , since the

attacker can manipulate them at will

  • !k Φ → τ : function from Φ to τ that uses the argument at

most k times

τ, ρ ::= !kφ type (k ∈ R>0 ∪ {∞}) φ, ψ ::= core type b base type α type variable µα.τ iso-recursive type (α bound in τ) τ + τ sum type τ ⊗ τ multiplicative pair type τ ( τ function type

Indexed types

slide-13
SLIDE 13

Linear Types and Sensitivity

  • Define a distance δτ on types
  • Functions of type !k Φ → τ are k sensitive in Φ → τ

δ!kφ(x, y) = k · δφ(x, y) δτ⊗ρ((x1, x2), (y1, y2)) = δτ(x1, x2) + δρ(y1, y2) δτ(ρ(f, g) = maxx∈τ(δρ(f(x), g(x))) . . . A function f is k-sensitive in τ1 → τ2 iff δτ2(f(x), f(y)) ≤ k · δτ1(x, y) for all x, y ∈ τ1

slide-14
SLIDE 14

Sealing-based cryptography

  • We model cryptography through regular language constructs
  • In particular, we make usage of sealing and unsealing functions
  • share a (secret) reference to a list, containing msg*ciph pairs

M c encrypt : decrypt : c

Plaintext Ciphertext (fresh value)

Plaintext EncKey (sealing) Ciphertext encrypt:

α → (α → !∞ℝ) → !∞ℝ

Ciphertext DecKey (unsealing) Plaintext decrypt: !∞ℝ

(!∞ℝ → α)

→ α

M store the plaintext in the list along with a fresh ciphertext check if ciphertext is in the list and return plaintext Seal(α) = α → !∞ℝ Unseal(α)= !∞ℝ → α

slide-15
SLIDE 15

Opponent typability

slide-16
SLIDE 16

Kinding and subtyping

Only types with infinite replication index can be sent to the attacker If a value comes from the attacker, we can decide to treat it privately

slide-17
SLIDE 17

Typing values

Typing rules are defined for replication index 1 : !kI below makes them work for arbitrary replication indexes Trivial typing for pre-defined constants and functions Only needed to type-check the attacker Introduces replication indexes if the environment contains enough resources Typing environment splitting (split replication indexes)

slide-18
SLIDE 18

Typing expressions

Standar subtyping rule Splitting pairs preserves replication index Only rule introducing an infinite replication index Can

  • nly branch on public

values

slide-19
SLIDE 19

Soundness results

slide-20
SLIDE 20

Typing the Example: HbC Aggregator

Client 1

...

Client r Publisher 1 Publisher j

...

Aggregator Client i

...

Publisher s

...

!1ℝ !1ℝ !1ℝ !∞ℝ !∞ℝ !∞ℝ !∞ℝ

Result for Publisher j:

!∞ℝ !∞ℝ !∞ℝ

Problem: ciphertexts could be decrypted more than once! Solution: prevent double processing of the same payload Protocol fix: discard duplicate ciphertexts and change qid in each session in

  • rder to keep the queue size small

encpka(qid,ai)

slide-21
SLIDE 21

Typing the Example: Malicious Publisher

Client 1

...

Client r Aggregator Client i

...

!1ℝ !1ℝ !1ℝ !∞ℝ !∞ℝ

Result for Publisher j:

!∞ℝ !∞ℝ !∞ℝ

slide-22
SLIDE 22

Algorithmic Variant

Var Alg

Γ ` ⇧ x :!kφ 2 Γ k 1 Γ0 = Γ{x :!k1φ/x :!kφ} Γ `alg x :!1φ; Γ0

Let Alg

Γ `alg A : τ; ∆ ∆, x : τ `alg B : τ 0; Γ0 Γ `alg let x = A in B : τ 0; Γ0\x Effect system to track unused resources Use all resources in the first hypothesis and those left in the second one The algorithmic variant is sound and complete