Secure Computation Martin Beck

Size: px
Start display at page:

Download "Secure Computation Martin Beck"

Transcription

1 Institute of Systems Architecture, Chair of Privacy and Data Security Secure Computation Martin Beck Dresden,

2 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 2

3 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 3

4 Homomorphic Encryption Slide 4

5 Cloud Overview Public Cloud Slide 5

6 Top Data Breaches Slide 6

7 Cloud Services Slide 7

8 Cloud Interesting cases Storage Use only storage capacity Compute Use storage and compute capacity of provider Slide 8

9 Cloud Storage How to share? Cryptographic Access Control How to search? Searchable Encryption How much may provider learn? Metadata of files? Size/time/location of edits? Access patterns? Slide 9

10 Cloud Compute Decrypt then process? Secure Computation! Slide 10

11 Homomorphic Encryption Goals Preserve Input Confidentiality User A doesn t fully trust Cloud Still wants to use provided resources Cloud should not learn private inputs of A However, having more than one party: It only guarantees that the actual input will not get known No guarantees about inference attacks a + b 2 Slide 11

12 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 12

13 Homomorphic Encryption Let E() be an encryption system Let denote an operation upon ciphertexts Let denote an operation upon plaintexts E() is called a homomorphic encryption system (HE) if E x E y = E(x y) At least one such homomorphism must exist for any HE. Slide 13

14 Homomorphic Encryption Additive / Multiplicative additive HE: Supports additions over plaintexts: E x E y = E(x + y) multiplicative HE: Supports multiplications over plaintexts: E x E y = E(x y) Slide 14

15 Homomorphic Encryption Somewhat/Fully Homomorphic somewhat HE: Supports both operations: E x E y = E x + y E x E y = E(x y) But only a limited number of multiplications Similarly for a leveled HE system. fully HE: Supports an unlimited number of both operations Can evaluate arbitrary boolean circuits Slide 15

16 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 16

17 Homomorphic Encryption Available Systems RSA: Everything mod n m - plaintext, e - public key, c - ciphertext c 1 = m 1 e, c 2 = m 2 e Multiplicative HE: k plaintext constant c 1 c 2 = m e 1 m e 2 = m 1 m e 2 c k ek 1 = m 1 = ek k m1 = m e 1 Limitations: Deterministic, cannot encrypt 0 ElGamal as indeterministic example Slide 17

18 Homomorphic Encryption Available Systems Modular exponentiation: (basis for many additive schemes) Everything mod n m - plaintext, g - public key (group generator), c - ciphertext c 1 = g m 1, c 2 = g m 2 Additive HE: k plaintext constant c 1 c 2 = g m 1 g m 2 = g m 1+m 2 c 1 k = g m 1 k = g m 1k Limitations: Deterministic, no cryptosystem not a trapdoor function Slide 18

19 Homomorphic Encryption Semantic Security Indeterministic Encryption c = E x, r, c = E x, r Indistinguishable ciphertexts Prevents: Dictionary attacks (precomputed ciphertexts) Bruteforcing of possible plaintexts Slide 19

20 Homomorphic Encryption Available Systems Overview Cryptographic Scheme Expansion Operation RSA 1 Goldwasser-Micali log 2 n ElGamal 2 + or Okamoto-Uchiyama 3 + Benaloh log 2 n log 2 r + Naccache-Stern log 2 n log 2 r + Joye-Libert log 2 n log 2 r + Paillier 2 + Damgard-Jurik log 2 n s+1 log 2 n s + BGN log 2 n log 2 r +, one BGV w/o batching , BGV with batching , Gentry-Halevi , LTV , Slide 20

21 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 21

22 Further Primitives t, n - Threshold Encryption, Signatures: Split private key in parts and distribute them to n parties Order-preserving encryption: If m 1 < m 2 then E m 1 < E m 2, similar for > Key-homomorphic pseudo-random number generators: PRNG s 0 PRNG s 1 = PRNG s 0 s 1 Homomorphic Hashes, Signatures Identity-based encryption Attribute-based encryption Commutative encryption E A E B x = E B E A x Slide 22

23 Further Primitives Slide 23

24 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 24

25 Multi-Party Slide 25

26 Multi-Party Example Data-Mining over patient records from several clinics/hospitals Slide 26

27 Multi-Party Usage Network Security Identification and mitigation of wide-scale attacks (early detection and characterization) DOMINO (Yegneswaran et al. 2004), a distributed IDS specifies lack of privacy as major issue Efficient PPDM needed for traffic classification, signature extraction and propagation analysis Profiling and Performance Analysis Collaboration of largest network providers would allow calculation of global internet statistics Estimation of traffic growth rate was overestimated in nineties by a factor of 10 Slide 27

28 Multi-Party Usage Logs of first 4 days used to learn mean μ and standard deviation σ Anomalies were detected for the remaining 7 days Slide 28

29 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 29

30 Multi-Party Goals Preserve Input Confidentiality User A doesn t fully trust User B Still wants to jointly compute a function over both inputs None of them should learn the input of the other party However, having more than one party: No guarantees about inference attacks a + b 2 Slide 30

31 Multi-Party System Users want to jointly compute a function f x, y Represent as binary circuit Minimize number of gates Guarantee that nothing else is learned about any other input, than what can be derived from own input and result Slide 31

32 Multi-Party System Slide 32

33 Multi-Party Solution Result Delivery Secure Computation Secret Sharing Slide 33

34 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 34

35 Related Topics Slide 35

36 Related Issues PPDM 1/2 Privacy-Preserving Data Mining Perform Data-Mining upon anonymized data Privacy-guarantees (Differential privacy) Collection Anonymization Publishing Slide 36

37 Related Issues PPDM 2/2 k-anonymity (Sweeney and Samarati 1998) ZIP Code Age Disease Heart Disease Heart Disease Heart Disease Flu Heart Disease Cancer Heart Disease Cancer Cancer k=3 ZIP Code Age Disease 1 476** 2* Heart Disease 2 476** 2* Heart Disease 3 476** 2* Heart Disease * 40 Flu * 40 Heart Disease * 40 Cancer 7 476** 3* Heart Disease 8 476** 3* Cancer 9 476** 3* Cancer Slide 37

38 Related Issues PPDM Privacy vs. Utility Choice of group elements influences utility Information loss due to no optimization Show case: Same level of anonymization but different accuracy ID ZIP Code Age Disease Heart Disease Flu Flu Cancer Heart Disease Cancer Original table gid ID ZIP Code Age Disease [02-78] [22-27] Heart Disease [02-78] [22-27] Flu [5-6] [43-47] Flu [5-6] [43-47] Cancer [5-7] [30-32] Heart Disease [5-7] [30-32] Cancer Good utility gid ID ZIP Code Age Disease [ ] [22-47] Heart Disease [ ] [27-30] Flu [ ] [32-43] Flu [ ] [22-47] Cancer [ ] [27-30] Heart Disease [ ] [32-43] Cancer Poor utility Slide 38

39 Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 39

40 Related Issues Attacks Typical Attacks Collusion 2 parties deliberately collaborate Inference Try to learn secret from answers Not following the security model (HBC, Covert) Using wrong input Performing different operations Stop after receiving own information (Fairness) Slide 40

41 What do we do with all of this? Construct privacy-preserving protocols Comparisons of elements (strings, vectors, ) Set operations Build a distributed DB with some of the schemes applied secdb Homomorphic MACs/signatures for secure network coding Inference control despite encrypted queries Slide 41

42 Thank you. Discussion. Slide 42

43 Backup Slide 43

44 Outsourcing Situation Origin Local infrastructure/resources too weak Need for new/centralized functionality Pros Cheap resources and efficient scaling Increased Availability Big Data analyses Cons Confidentiality and integrity of information Where is my data? Slide 44

45 Two-Party Private input from 2 parties Trusted Third Party Slide 45

46 Multi-Party Situation Origin Perform a joint computation on several inputs Private input on man sides Slide 46

47 Two-Party Situation Origin Perform a joint comparison Private input on both sides Slide 47

48 Two-Party Private input from 2 parties How to operate without handing out data?? Slide 48

49 Outsourcing Example 2 Slide 49