Differential Privacy (Part IV)
Alice Eve Bob Cryptographic protocols Tons of attacks…never ending list! essential in distributed systems… Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail Public-key Kerberos (2006) e-voting DAA (2007,2008) e-passports French Electronic Passport (2010) online auctions 802.IIi WEP (2001) file sharing ISAKMP (2005) social networks SSL (2009,2014,2015) Flaws hard to spot , proofs hard to get right
Alice Eve Bob Needham-Schroeder (1996) Microsoft Passport (2001) Kerberos (2004) Conceptual flaws Public-key Kerberos (2006) in protocol design DAA (2007,2008) French Electronic Passport (2010) 802.IIi WEP (2001) LogJam (2015) Cryptographic breaches SSL (2001,2009) ISAKMP (2005) Heartbleed (2014) Implementation mistakes Freak (2015) 3
How do we prove a protocol correct? Γ ⊢ m: τ Call for automated verification techniques, proving end-to-end security guarantees across all three layers ( protocol logic, cryptography, implementation ) Type systems particularly well suited Modular, well-established theory, amenable to automation 4
A few recent results in this line of research Security Properties PL Techniques F7 authorization policies refinement types refinement types F5 authorization policies union and intersection types secrecy type disjointness AF7 resource-aware policies affine refinement types F* authorization policies refinement types proof assistant monadic reasoning DF7 differential privacy affine types If you are curious, have a look at • my tutorial at POPL 2016: http://sps.cs.uni-saarland.de/maffei/Talks/popl16.pdf • “Dependent Types and Multi-Monadic Effects in F*”, Swamy et al. , POPL’16
Non-tracking web analytics •Threat model: non-colluding, HbC aggregators & malicious publishers Client 1 Publisher 1 a1 ... ... ai Publisher j Aggregator Client i noise ... ... noise noise noise enc pka (q id ,ai) ar Publisher s Client r Result for Publisher j: •Manual proof of differential privacy •Further auditing protocol to discover publishers dropping clients’ answers
The snapshot attack New attack: ai is counted 4 times Client 1 Publisher 1 ≈ execute query 4 times ... ... ai ai ai ai Publisher j Aggregator Client i ... ... Publisher s Client r We are going to see how to formally and automatically prove differential privacy properties in distributed systems by a type system
DDP: definition •Consider protocol as a query •PD denotes protocol P on database D •Attacker is given access to query function (protocol) •O(PD) denotes attacker interacting with PD •Given two similar databases D,D‘: •if no attacker can distinguish between query on D and query on D‘, then the query is differentially private A randomized function is ✏ -di ff erentially private i ff A protocol P for all databases D, D 0 such that D ∼ D 0 opponent O and every set S O(PD’)=1 Pr [ f ( D ) ∈ S ] ≤ e ✏ · Pr [ f ( D 0 ) ∈ S ] O(PD)=1
Sneak Peek into our Type System •As shown in [Reed & Pierce ICFP’10, Gaboardi et al. POPL’12]: • if each value is used at most k times, then query k-sensitive • linear type systems track how often a sensitive value is used •Enforcing linearity in distributed setting hard (because attacker can replay/duplicate values!) •Our type system: •checks whether each value of database is used at most k times •before releasing query results to the attacker, they must be sanitized with the special primitive add_noise(s) for noise addition (e.g, Lap(s)) if s = k/ ε and protocol has type ! k τ → ! ∞ R then protocol ε -differentially private
Syntax of the language
Semantics of the language
Types type ( k ∈ R > 0 ∪ { ∞ } ) τ , ρ ::= ! k φ φ , ψ ::= core type base type b type variable α Indexed types iso-recursive type ( α bound in τ ) µ α . τ τ + τ sum type multiplicative pair type τ ⊗ τ function type τ ( τ • ! k int : integer that can be used at most k times •public data are given types of the form ! ∞ Φ , since the attacker can manipulate them at will • ! k Φ → τ : function from Φ to τ that uses the argument at most k times
Linear Types and Sensitivity • Define a distance δ τ on types • Functions of type ! k Φ → τ are k sensitive in Φ → τ δ ! k φ ( x, y ) = k · δ φ ( x, y ) δ τ ⊗ ρ (( x 1 , x 2 ) , ( y 1 , y 2 )) = δ τ ( x 1 , x 2 ) + δ ρ ( y 1 , y 2 ) δ τ ( ρ ( f, g ) = max x ∈ τ ( δ ρ ( f ( x ) , g ( x ))) . . . A function f is k -sensitive in τ 1 → τ 2 i ff δ τ 2 ( f ( x ) , f ( y )) ≤ k · δ τ 1 ( x, y ) for all x, y ∈ τ 1
Sealing-based cryptography • We model cryptography through regular language constructs • In particular, we make usage of sealing and unsealing functions • share a (secret) reference to a list, containing msg*ciph pairs encrypt : M decrypt : check store if ciphertext is in the plaintext in the M the list and return Plaintext list along with a fresh plaintext ciphertext Ciphertext c c (fresh value) Plaintext EncKey (sealing) Ciphertext Seal( α ) = α → ! ∞ ℝ encrypt: α → ( α → ! ∞ ℝ ) → ! ∞ ℝ Unseal( α )= ! ∞ ℝ → α Ciphertext DecKey (unsealing) Plaintext decrypt: ! ∞ ℝ (! ∞ ℝ → α ) → → α
Opponent typability
Kinding and subtyping Only If types with infinite a value comes from replication index can be the attacker, we can sent to the attacker decide to treat it privately
Typing values Trivial typing for pre-defined constants and functions Typing rules are defined for replication index 1 : ! k I below makes them work for arbitrary Typing replication indexes environment splitting (split replication indexes) Only needed to type-check the attacker Introduces replication indexes if the environment contains enough resources
Typing expressions Standar subtyping rule Splitting pairs preserves replication index Only rule introducing an infinite replication index Can only branch on public values
Soundness results
Typing the Example: HbC Aggregator enc pka (q id ,ai) Client 1 Publisher 1 ! 1 ℝ ! ∞ ℝ ... ... ! 1 ℝ ! ∞ ℝ Publisher j Aggregator Client i ! ∞ ℝ ... ... ! ∞ ℝ ! ∞ ℝ ! ∞ ℝ ! ∞ ℝ ! 1 ℝ Publisher s Client r Result for Publisher j: Problem: ciphertexts could be decrypted more than once! Solution: prevent double processing of the same payload Protocol fix: discard duplicate ciphertexts and change q id in each session in order to keep the queue size small
Typing the Example: Malicious Publisher Client 1 ! 1 ℝ ! ∞ ℝ ... ! ∞ ℝ ! 1 ℝ Aggregator Client i ... ! ∞ ℝ ! ∞ ℝ ! ∞ ℝ ! 1 ℝ Client r Result for Publisher j:
Algorithmic Variant Effect system to track unused resources Var Alg Γ 0 = Γ { x :! k � 1 φ /x :! k φ } x :! k φ 2 Γ k � 1 Γ ` ⇧ Γ ` alg x :! 1 φ ; Γ 0 Let Alg ∆ , x : τ ` alg B : τ 0 ; Γ 0 Γ ` alg A : τ ; ∆ Γ ` alg let x = A in B : τ 0 ; Γ 0 \ x Use all resources in the first The algorithmic variant is sound and complete hypothesis and those left in the second one
Recommend
More recommend
