Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on - - PowerPoint PPT Presentation

vlad kolesnikov bell labs
SMART_READER_LITE
LIVE PREVIEW

Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on - - PowerPoint PPT Presentation

Jan 07, 2024 242 likes •470 views

Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each ach tim ime for Location-Based Service (E.g.

slide-1
SLIDE 1

Vlad Kolesnikov Bell Labs

DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017

slide-2
SLIDE 2

You are near Starbucks; here is a special Legislation may require user consent each ach tim ime for Location-Based Service (E.g. SK Telecom, Korea)

slide-3
SLIDE 3

May I use your location now? OK Nevermind, there aren’t coupons Compliant location-based service: Here is a Starbucks coupon

slide-4
SLIDE 4

I want to query patient records HIPAA protects patient privacy. Only certain queries are OK. What is your query? My queries are private

slide-5
SLIDE 5

Ad campaign: I have a list of my customers. Display an upgrade offer to those who have researched FIOS. Neither company wishes to share customer lists and histories. FB protects data by instead exchanging hashes of data.

slide-6
SLIDE 6

Ask a Trusted Third Party for help. UserList C UserList F ⊥ 𝐺 ∩ 𝐷

“Any task involving a Trusted Third Party can also be implemented using a cryptographic protocol wi withou

  • ut an

any loss

  • ss of
  • f secu

ecurit ity.” [Yao86] [Goldreich Micali Wigderson 87]

slide-7
SLIDE 7

 Privacy and security enables data sharing  Secure multi-party computation (MPC)

  • Approaches and progress

 MPC for big(ger) data: private DB (if time)

slide-8
SLIDE 8

Protocol 𝜌

a b

Fa(a,b) Fb(a,b)

slide-9
SLIDE 9

OR AND

Circuit for F Alice encrypts Boolean wire signals

slide-10
SLIDE 10

OR AND

a b a b a˄b 1 1 1 1 1 a a b a b b a b Alice encrypts Boolean gates (truth tables) Goal: allow Bob to compute correct gate output key from input keys

slide-11
SLIDE 11

OR AND

a a b a b a˄b 1 1 1 1 1

a is Alice’s input

Alice sends this key

b is Bob’s input

Alice and Bob run Oblivous Transfer (OT) Bob receives key, while Alice learns nothing. a b a b b a b Decoding table for output wire 1

slide-12
SLIDE 12

$1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 $1,000,000,000 $10,000,000,000 $100,000,000,000 Aug 2001 Mar 2002 Oct 2002 May 2003 Dec 2003 Jul 2004 Feb 2005 Sep 2005 Apr 2006 Nov 2006 Jun 2007 Jan 2008 Aug 2008 Mar 2009 Oct 2009 May 2010 Dec 2010 Jul 2011 Feb 2012 Sep 2012 Apr 2013 Nov 2013

Cost to sequence genome Estimates and chart by Dave Evans (UVA)

slide-13
SLIDE 13

Bob only decrypts

  • cheating not possible
  • only abort

F(a,b) Alice can send a GC implementing wrong F Bob cannot tell!

slide-14
SLIDE 14

Post-processing

Check cks

Alice generates many copies of garbled circuits Check Set Evaluation Set Cut-and-choose technique 40 Circuits need to be sent to prevent cheating by Alice

slide-15
SLIDE 15

Check ck

All copies of garbled circuits Check Set Evaluation Set

Evalua luate te

Idea: Alice can cheat, but caught w prob 50% If caught, Bob gets irrefutable pub publi licly ve verifiable pr proof of

  • f che

cheating.

slide-16
SLIDE 16

All copies of garbled circuits Check Set Evaluation Set If cheating is discovered irrefutable pub public licly ve verifiable pr proo

  • of of
  • f ch

cheating can be produced Informal Theorem [KM15]: P is a secure protocol where: Aborting will not help cheating Alice Bob cannot defame honest Alice Proof does not reveal Bob’s input Very high efficiency (no public key operations)

slide-17
SLIDE 17

Be Before Aft fter Nobody can cheat Alice can cheat. Caught with prob ½. If caught, proof of cheating is published. Sufficient deterrent in most scenarios. 20X speed improvement ~30X, Free Hash [FGK17]

slide-18
SLIDE 18

Idea [GMS08]: don’t send circuits. Instead: 1) choose seed s 2) generate GC(PRG(s)) 3) compute h=SHA(GC) 4) send h. A cannot later send a wrong GC 5) A send s to open circuits 6) A send GC to evaluate Free Hash: ℎ =⊕ {GC labels}

slide-19
SLIDE 19

 GC hash definition weaker than standard collision resistance  Take advantage of the input to hash being a Garbled Circuit  Given a correctly generated garbled circuit and hash (GC; h)

  • If A finds

𝐻𝐷 such that 𝐼( 𝐻𝐷) = 𝐼(𝐻𝐷)

  • Then, w.h.p, the garbled circuit property of

𝐻𝐷 is broken

  • 𝐻𝐷 will fail to evaluate

 Verification of hash involves GC evaluation

slide-20
SLIDE 20

Ve(C, GC, d, e ) = accept H(GC) = H(GC) = h C GC, GC, e, e, d, h Same decoding information d De( Eval( GC, En( e, x), d) = 丄 for all x , w.h.p

slide-21
SLIDE 21

 Garbled rows are encryptions of output labels  Garbling of a gate relates garbled rows and input and output labels as

preimage/image of a crypto function

 Change in a garbled row or input label creates unpredictable change in

computed output label

 Hard to change active garbled rows and still get output label that you want  During GC evaluation, once label is wrong, hard to make it right  Idea: ensure all rows are active, i.e. GC evaluation involves all GC rows

  • *Not quite enough, but close. Not hard to work out precise requirements.
slide-22
SLIDE 22