CS573 Data Privacy and Security Secure Multiparty Computation - - PowerPoint PPT Presentation

CS573 Data Privacy and Security Secure Multiparty Computation

Problem and security definitions Li Xiong

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computation
• Problem and security definitions
• General constructions

Basic notation

• Plaintext (m):

– the original message

• Ciphertext (c):

– the coded message

• Secret key (k):

– info used in cipher known only to sender/receiver

• Encryption function Ek(m):

– performs substitutions/ transformations on plaintext

• Decryption function Dk(c):

– inverse of encryption algorithm

• Efficiency:

– functions EK and DK should have efficient algorithms

• Consistency:

– Decrypting the ciphertext yields the plaintext DK(EK(m)) = m

4

E D

m plaintext k encryption key k’ decryption key Ek(m) ciphertext Dk’(Ek(m)) = m attacker

Operational model of encryption

• Kerckhoff’s assumption:

– attacker knows E and D – attacker doesn’t know the (decryption) key

• attacker’s goal:

– to systematically recover plaintext from ciphertext – to deduce the (decryption) key

• attack models:

– ciphertext-only – known-plaintext – (adaptive) chosen-plaintext – (adaptive) chosen-ciphertext

Symmetric Encryption

• or conventional / secret-key / single-key
• sender and recipient share a common key
• Scenario:

– Alice wants to send a message (plaintext P) to Bob – The communication channel is insecure and can be eavesdropped – If Alice and Bob have previously agreed on a symmetric encryption scheme and a secret key K, the message can be sent encrypted (ciphertext C)

Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: KA-B

plaintext ciphertext

K

A-B encryption algorithm decryption algorithm

K

A-B plaintext message, m c=KA-B (m) K (m)

A-B

m = K (

)

A-B

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computations
• Problem and security definitions
• General constructions

Private-Key Cryptography

• traditional private/secret/single key

cryptography uses one key

• Sender and receiver must share the same key
• needs secure channel for key distribution
• impossible for two parties having no prior relationship
• if this key is disclosed communications are

compromised

• also is symmetric, parties are equal
• hence does not protect sender from receiver

forging a message & claiming is sent by sender

Public-Key Cryptography

• uses two keys – a public & a private key
• asymmetric since parties are not equal
• complements rather than replaces private key

crypto

– neither more secure than private key (security depends on the key size for both) – nor do they replace private key schemes (they are too slow to do so)

Public-Key Cryptography

• public-key/two-key/asymmetric cryptography

involves the use of two keys:

– a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• Encryption: c = Epk(m)
• Decryption: m = Dsk(c)
• is asymmetric because

– those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Public-Key Cryptography

Public-Key Characteristics

• Public-Key algorithms rely on two keys with

the characteristics that it is:

– computationally infeasible to find decryption key knowing only algorithm & encryption key – computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known – either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) – Many can encrypt, only one can decrypt

RSA (Rivest, Shamir, Adleman, 1978)

• basis
• intractability of integer factoring
• Setup:
• select p, q large primes
• n = pq, ф(n)= (p-1)(q-1)
• select e relatively prime to ф(n)
• compute d such that ed mod ф(n) = 1
• Keys:
• public key: KE= (n,e)
• private key: KD= d
• Encryption:
• Plaintext m
• c = me mod n
• Decryption:
• m= cd mod n

13

• Example:
• Setup:
• p =7, q=17
• n = 7.17 = 119
• ф(n) = 6 . 16 = 96
• e= 5
• d= 77
• Keys:
• public key: KE= (119, 5)
• private key: KD= 77
• Encryption:
• m = 19
• c = 195 mod 119 = 66
• Decryption:
• m= 6677 mod 119 = 19

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computations
• Problem and security definitions
• General constructions

slide 15

Motivation

• General framework for describing computation

between parties who do not trust each other

• Example: elections

– N parties, each one has a “Yes” or “No” vote – Goal: determine whether the majority voted “Yes”, but no voter should learn how other people voted

• Example: auctions

– Each bidder makes an offer

• Offer should be committing! (can’t change it later)

– Goal: determine whose offer won without revealing losing offers

slide 16

More Examples

• Example: distributed data mining

– Two companies want to compare their datasets without revealing them

• For example, compute the intersection of two lists of

names

• Example: database privacy

– Evaluate a query on the database without revealing the query to the database owner – Evaluate a statistical query on the database without revealing the values of individual entries – Many variations

slide 17

A Couple of Observations

• In all cases, we are dealing with distributed

multi-party protocols

– A protocol describes how parties are supposed to exchange messages on the network

• All of these tasks can be easily computed by a

trusted third party

– The goal of secure multi-party computation is to achieve the same result without involving a trusted third party

Secure Multiparty Computation

• A set of parties with private inputs wish to

compute some joint function of their inputs.

• Parties wish to preserve some security
• properties. e.g., privacy and correctness.
• Security must be preserved in the face of

adversarial behavior by some of the participants, or by an external party.

Yao’s Millionaire Problem

• Two millionaires, Alice and Bob, who are

interested in knowing which of them is richer without revealing their actual wealth.

• This problem is analogous to a more general

problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

slide 20

How to Define Security?

• Must be mathematically rigorous
• Must capture all realistic attacks that a

malicious participant may try to stage

• Should be “abstract”

– Based on the desired “functionality” of the protocol, not a specific protocol – Goal: define security for an entire class of protocols

A Rigorous Approach

• Provide an exact problem definition

– Adversarial power – Network model – Meaning of security

• Prove that the protocol is secure

– Often by reduction to an assumed hard problem, like factoring large composites

slide 22

Functionality

• K mutually distrustful parties want to jointly

carry out some task

• Model this task as a function

f: ({0,1}*)K ({0,1}*)K

• Assume that this functionality is computable in

probabilistic polynomial time

K inputs (one per party); each input is a bitstring K outputs

Defining Security

• The real/ideal model paradigm for defining

security [GMW,GL,Be,MR,Ca]:

– Ideal model: parties send inputs to a trusted party, who computes the function for them – Real model: parties run a real protocol with no trusted help

• A protocol is secure if any attack on a real

protocol can be carried out in the ideal model

slide 24

Ideal Model

• Intuitively, we want the protocol to behave “as if” a

trusted third party collected the parties’ inputs and computed the desired functionality

– Computation in the ideal model is secure by definition!

A B

x1 f2(x1,x2) f1(x1,x2) x2

slide 25

More Formally

• A protocol is secure if it emulates an ideal setting

where the parties hand their inputs to a “trusted party,” who locally computes the desired outputs and hands them back to the parties

[Goldreich-Micali-Wigderson 1987]

A B

x1 f2(x1,x2) f1(x1,x2) x2

Real world

• No trusted third party
• Participants run some protocol amongst

themselves without any help

• Despite that, secure protocol should emulate

an ideal setting.

• Real protocol that is run by the participants is

secure if

– no adversary can do more harm in real execution than an execution that takes place in the ideal world

slide 27

Adversary Models

• Some of protocol participants may be corrupt

– If all were honest, would not need secure multi-party computation

• Semi-honest (aka passive; honest-but-curious)

– Follows protocol, but tries to learn more from received messages than he would learn in the ideal model

• Malicious

– Deviates from the protocol in arbitrary ways, lies about his inputs, may quit at any point

• For now, we will focus on semi-honest adversaries

and two-party protocols

slide 28

Properties of the Definition

• How do we argue that the real protocol

“emulates” the ideal protocol?

• Correctness

– All honest participants should receive the correct result of evaluating function f

• Because a trusted third party would compute f correctly
• Privacy

– All corrupt participants should learn no more from the protocol than what they would learn in ideal model – What does corrupt participant learn in ideal model?

• His input (obviously) and the result of evaluating f

slide 29

Simulation

• Corrupt participant’s view of the protocol = record
• f messages sent and received

– In the ideal world, view consists simply of his input and the result of evaluating f

• How to argue that real protocol does not leak more

useful information than ideal-world view?

• Key idea: simulation

– If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the ideal- world view, then real-world protocol is secure – Simulation must be indistinguishable from real view

Security proof tools

– Real/ideal model: the real model can be simulated in

the ideal model

• Key idea – Show that whatever can be computed by a

party participating in the protocol can be computed based on its input and output only

•  polynomial time S such that {S(x,f(x,y))} ≡ {View(x,y)}

Security proof tools

• Composition theorem

– if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure – Prove that component protocols are secure, then prove that the combined protocol is secure

Outline

• Secure multiparty computation

– Defining security – General constructions

Construction paradigms

• Passively-secure computation for two-parties

– Use oblivious transfer to securely select a value

• Passively-secure computation with shares

– Use secret sharing scheme such that data can be reconstructed from some shares

• From passively-secure protocols to actively-

secure protocols

– Use zero-knowledge proofs to force parties to behave in a way consistent with the passively-secure protocol

1-out-of-2 Oblivious Transfer (OT)

1-out-of-2 Oblivious Transfer (OT)

• Inputs

– Sender has two messages m0 and m1 – Receiver has a single bit {0,1}

• Outputs

– Sender receives nothing – Receiver obtain m and learns nothing of m1-

slide 35

Oblivious Transfer (OT)

• Fundamental SMC primitive
• 1-out-of-2 Oblivious Transfer (OT)

S R

m0, m1 m  = 0 or 1 S inputs two bits, R inputs the index of one of S’s bits R learns his chosen bit, S learns nothing

– S does not learn which bit R has chosen; R does not learn the value of the bit that he did not choose [Rabin 1981]

Semi-Honest OT

• Let (G,E,D) be a public-key encryption scheme

– G is a key-generation algorithm (pk,sk)  G – Encryption: c = Epk(m) – Decryption: m = Dsk(c)

• Assume that a public-key can be sampled

without knowledge of its secret key:

– Oblivious key generation: pk  OG – El-Gamal encryption has this property

Semi-Honest OT

Protocol for Oblivious Transfer

• Receiver (with input ):

– Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious of secret-key). – Receiver sets pk = pk, pk1- = pk’ – Note: receiver can decrypt for pk but not for pk1- – Receiver sends pk0,pk1 to sender

• Sender (with input m0,m1):

– Sends receiver c0=Epk0(m0), c1=Epk1(m1)

• Receiver:

– Decrypts c using sk and obtains m.

Security Proof

• Intuition:

– Sender’s view consists only of two public keys pk0 and

• pk1. Therefore, it doesn’t learn anything about that

value of . – The receiver only knows one secret-key and so can only learn one message

• Note: this assumes semi-honest behavior. A

malicious receiver can choose two keys together with their secret keys.

Generalization

• Can define 1-out-of-k oblivious transfer

 Protocol remains the same:

 Choose k-1 public keys for which the secret key is

unknown

 Choose 1 public-key and secret-key pair