Privacy Preservation through Secure Multi-party Computation: - - PowerPoint PPT Presentation

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 1

Privacy Preservation through Secure Multi-party Computation: Towards Implementation

Paolo Palmieri, Olivier Pereira

UCL Crypto Group Universit´ e Catholique de Louvain (Belgium)

Provable Privacy Workshop – July 2012

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 2

Outline of the Talk

• 1. Secure Multi-party Computation
• 2. New channel models
• 3. Towards implementation

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 2

Outline of the Talk

• 1. Secure Multi-party Computation
• 2. New channel models
• 3. Towards implementation

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 3

Secure 2-party computation

Problem suggested by Yao in 1982 [Yao82]. Cryptography for mutually distrusting parties.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 3

Secure 2-party computation

Problem suggested by Yao in 1982 [Yao82]. Cryptography for mutually distrusting parties. The parties. . .

◮ . . . want to jointly compute some value based on

individually held secret bits of information;

◮ . . . do not wish to reveal their secrets to one another in

the process.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 3

Secure 2-party computation

Problem suggested by Yao in 1982 [Yao82]. Cryptography for mutually distrusting parties. The parties. . .

◮ . . . want to jointly compute some value based on

individually held secret bits of information;

◮ . . . do not wish to reveal their secrets to one another in

the process. Our focus is on security against computationally unbounded adversaries, in the information theoretic model.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 4

Oblivious Transfer

Oblivious Transfer [Rab81] is a fundamental primitive for multi-party computation.

◮ many fashions of OT, all proved to be equivalent

[Cr´ e87].

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 4

Oblivious Transfer

Oblivious Transfer [Rab81] is a fundamental primitive for multi-party computation.

◮ many fashions of OT, all proved to be equivalent

[Cr´ e87]. 1-out-of-2 OT: the sender (Sam) has two bits b0, b1 and wants to transmit only one to the receiver (Rachel), while she wants to select the desired bit s without Sam knowing her choice.

S OT R b0, b1 s bs

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 5

The Importance of Noise

Oblivious Transfer cannot be achieved on a clear channel in the information theoretic model. Even a quantum channel proved to be useless for the purpose [May97]. Solution: noisy channels.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 5

The Importance of Noise

Oblivious Transfer cannot be achieved on a clear channel in the information theoretic model. Even a quantum channel proved to be useless for the purpose [May97]. Solution: noisy channels. Open questions:

◮ most efficient/realistic channel models? ◮ what properties should noise have?

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 6

Outline of the Talk

• 1. Secure Multi-party Computation
• 2. New channel models
• 3. Towards implementation

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 7

Traditional constructions

OT can be built on almost any noisy channel [CMW04]. However most constructions are based on the Binary Symmetric Channel (BSC).

1 1 p p 1 − p 1 − p

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 7

Traditional constructions

OT can be built on almost any noisy channel [CMW04]. However most constructions are based on the Binary Symmetric Channel (BSC).

1 1 p p 1 − p 1 − p

◮ First protocol proposed in 1988 [CK88]. ◮ Unfair Noisy Channel (UNC) [DKS99, DFMS04]. ◮ Weak Binary Symmetric Channel (WBSC) [Wul09].

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 8

Delays & Packet Loss

In [PP10] we proposed to build OT over channels that model real network characteristics:

◮ packet delays (wireless) and reorderings (wired); ◮ lost packets.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 8

Delays & Packet Loss

In [PP10] we proposed to build OT over channels that model real network characteristics:

◮ packet delays (wireless) and reorderings (wired); ◮ lost packets. ◮ Binary Discrete-time

Delaying Channel (BDDC);

◮ Delaying-Erasing Channel

(DEC).

Channel t0 t1 u0 u1 Pr (p) c1, c2 c3, c4 c2 c1, c3, c4 t u

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 9

Outline of the Talk

• 1. Secure Multi-party Computation
• 2. New channel models
• 3. Towards implementation

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 10

Protocol - preparation

Protocol inspired by the one proposed in [CK88]. Preliminary work Sam creates two sets of bit strings C and C ′. |C| = |C ′| = n

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 10

Protocol - preparation

Protocol inspired by the one proposed in [CK88]. Preliminary work Sam creates two sets of bit strings C and C ′. |C| = |C ′| = n Each string in any of the two sets is composed of: ci ∈ C = . . . . . .

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 10

Protocol - preparation

Protocol inspired by the one proposed in [CK88]. Preliminary work Sam creates two sets of bit strings C and C ′. |C| = |C ′| = n Each string in any of the two sets is composed of:

◮ the string identifier e:

ei in ci ∈ C is unique in {C ∪ C ′}. ci ∈ C =

ei

• . . . . . .

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 10

Protocol - preparation

Protocol inspired by the one proposed in [CK88]. Preliminary work Sam creates two sets of bit strings C and C ′. |C| = |C ′| = n Each string in any of the two sets is composed of:

◮ the string identifier e:

ei in ci ∈ C is unique in {C ∪ C ′}.

◮ the sequence number i:

i in ci ∈ C is unique in C and shared by c′

i ∈ C ′;

ci ∈ C =

ei

• . . .

i

• . . .

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 11

Protocol - communication 1

• 1. At time t0 Sam sends to Rachel C over a BDDC;

S R

BDDC

C

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 11

Protocol - communication 1

• 1. At time t0 Sam sends to Rachel C over a BDDC;
• 2. At t1 Sam sends the set C ′;

S R

BDDC

C ′

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 11

Protocol - communication 1

• 1. At time t0 Sam sends to Rachel C over a BDDC;
• 2. At t1 Sam sends the set C ′;
• 3. At u0 Rachel receives the strings of C not delayed;

S R

BDDC

???

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 11

Protocol - communication 1

• 1. At time t0 Sam sends to Rachel C over a BDDC;
• 2. At t1 Sam sends the set C ′;
• 3. At u0 Rachel receives the strings of C not delayed;
• 4. At u1 Rachel receives the strings of C delayed once

and those of C ′ not delayed. Then she keeps listening; S R

BDDC

???

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 11

Protocol - communication 1

• 1. At time t0 Sam sends to Rachel C over a BDDC;
• 2. At t1 Sam sends the set C ′;
• 3. At u0 Rachel receives the strings of C not delayed;
• 4. At u1 Rachel receives the strings of C delayed once

and those of C ′ not delayed. Then she keeps listening;

• 5. Rachel divides the sequence numbers received into two

sets Is and I1−s. For all those in Is, the corresponding c has not been delayed; S R Is, I1−s

clear channel

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 12

Protocol - communication 2

• 6. Sam receives Is and I1−s and chooses a universal hash

function f . For each set Ij he computes gj: gj =

• ej

1 . . . ej

n 2

• with ej

1, . . . , ej

n 2 ∈ Ej .

where ei ∈ Ej ⇔ i ∈ Ij. S R

f , (f (g0) ⊕ b0), (f (g1) ⊕ b1)

clear channel

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 12

Protocol - communication 2

• 6. Sam receives Is and I1−s and chooses a universal hash

function f . For each set Ij he computes gj: gj =

• ej

1 . . . ej

n 2

• with ej

1, . . . , ej

n 2 ∈ Ej .

where ei ∈ Ej ⇔ i ∈ Ij.

• 7. Rachel computes her guess for bs:

bs = f (gs) ⊕ (f (gs) ⊕ bs) S R The End!

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 13

Security

◮ Rachel learns bs. ◮ Rachel does not have enough information to build

e′

1−s, and therefore cannot decode b1−s.

◮ Sam does not get feedback from the channel, and

therefore cannot guess Is from I0, I1.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 14

Back to the real world

Can we use this protocol over a real network?

◮ In [PP11] we proved that we can use packet reordering

happening over wired networks to build OT.

◮ Analysis of wireless communication shows that the

amount of noise is sufficient for OT.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 14

Back to the real world

Can we use this protocol over a real network?

◮ In [PP11] we proved that we can use packet reordering

happening over wired networks to build OT.

◮ Analysis of wireless communication shows that the

amount of noise is sufficient for OT. We are now experimenting over real network protocols:

◮ Real-time Transport Protocol (RTP), ◮ Real Time Streaming Protocol (RTSP), ◮ ...

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 15

Thank you!

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 16

References I

[Yao82] Yao, A: Protocols for secure computations (extended abstract). In: FOCS 1982, pp. 160-164. [Rab81] Rabin, M.O.: How to exchange secrets by oblivious

• transfer. Technical Report TR-81, Aiken Computation

Laboratory, Harvard University (1981), manuscript. [Cr´ e87] Cr´ epeau, C.: Equivalence between two flavours of

• blivious transfers. In: Advances in Cryptology - CRYPTO ’87,
• pp. 350-354.

[May97] Mayers, D.: Unconditionally secure quantum bit commitment is impossible. Physical Review Letters, Vol. 78, no. 17, 28 April 1997, pp. 3414-3417.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 17

References II

[CK88] Cr´ epeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (extended abstract). In: FOCS

• 1988. pp. 42-52.

[DKS99] Damg˚ ard, I., Kilian, J., Salvail, L.: On the (im)possibility of basing oblivious trans- fer and bit commitment

• n weakened security assumptions. In: EUROCRYPT 1999, pp.

56-73. [DFMS04] Damg˚ ard, I., Fehr, S., Morozov, K., Salvail, L.: Unfair noisy channels and oblivious transfer. In: TCC 2004, pp. 355-373. [Wul09] Wullschleger, J.: Oblivious transfer from weak noisy

• channels. In: TCC 2009, pp. 332-349.

UCL Crypto Group

Microelectronics Laboratory

Privacy with SMC: Implementation? - July 2012 18

References III

[CMW04] Cr´ epeau, C., Morozov, K., Wolf, S.: Efficient unconditional oblivious transfer from almost any noisy channel. In: SCN 2004, pp. 47-59. [PP10] Palmieri, P., Pereira, O.: Building oblivious transfer on channel delays. In: Inscrypt 2010, pp. 125-138. [PP11] Palmieri, P., Pereira, O.: Implementing information-theoretically secure oblivious transfer from packet

• reordering. In: ICISC 2011, pp. 332-345.