Secure Computation Martin Beck

Institute of Systems Architecture, Chair of Privacy and Data Security Secure Computation Martin Beck Dresden, 05.02.2015

Index Homomorphic Encryption The Cloud problem (overview & example) System properties Available systems Further primitives Multi-Party Computation Usage examples Properties Related Topics Privacy-preserving publication of data More interesting things Slide 2

Homomorphic Encryption Slide 4

Cloud Overview Public Cloud Slide 5

Top Data Breaches 150 152 145 101 104 50 56 4.9 60 2011 40 24 2012 2013 2014 3.8 50 76 94 110 Slide 6

Cloud Services Slide 7

Cloud Interesting cases Storage Use only storage capacity Compute Use storage and compute capacity of provider Slide 8

Cloud Storage How to share? Cryptographic Access Control How to search? Searchable Encryption How much may provider learn? Metadata of files? Size/time/location of edits? Access patterns? Slide 9

Cloud Compute Decrypt then process? Secure Computation! Slide 10

Homomorphic Encryption Goals Preserve Input Confidentiality User A doesn t fully trust Cloud Still wants to use provided resources Cloud should not learn private inputs of A However, having more than one party: It only guarantees that the actual input will not get known No guarantees about inference attacks a + b 2 Slide 11

Homomorphic Encryption Let E() be an encryption system Let denote an operation upon ciphertexts Let denote an operation upon plaintexts E() is called a homomorphic encryption system (HE) if E x E y = E(x y) At least one such homomorphism must exist for any HE. Slide 13

Homomorphic Encryption Additive / Multiplicative additive HE: Supports additions over plaintexts: E x E y = E(x + y) multiplicative HE: Supports multiplications over plaintexts: E x E y = E(x y) Slide 14

Homomorphic Encryption Somewhat/Fully Homomorphic somewhat HE: Supports both operations: E x E y = E x + y E x E y = E(x y) But only a limited number of multiplications Similarly for a leveled HE system. fully HE: Supports an unlimited number of both operations Can evaluate arbitrary boolean circuits Slide 15

Homomorphic Encryption Available Systems RSA: Everything mod n m - plaintext, e - public key, c - ciphertext c 1 = m 1 e, c 2 = m 2 e Multiplicative HE: k plaintext constant c 1 c 2 = m e 1 m e 2 = m 1 m e 2 c k ek 1 = m 1 = ek k m1 = m e 1 Limitations: Deterministic, cannot encrypt 0 ElGamal as indeterministic example Slide 17

Homomorphic Encryption Available Systems Modular exponentiation: (basis for many additive schemes) Everything mod n m - plaintext, g - public key (group generator), c - ciphertext c 1 = g m 1, c 2 = g m 2 Additive HE: k plaintext constant c 1 c 2 = g m 1 g m 2 = g m 1+m 2 c 1 k = g m 1 k = g m 1k Limitations: Deterministic, no cryptosystem not a trapdoor function Slide 18

Homomorphic Encryption Semantic Security Indeterministic Encryption c = E x, r, c = E x, r Indistinguishable ciphertexts Prevents: Dictionary attacks (precomputed ciphertexts) Bruteforcing of possible plaintexts Slide 19

Homomorphic Encryption Available Systems Overview Cryptographic Scheme Expansion Operation RSA 1 Goldwasser-Micali log 2 n ElGamal 2 + or Okamoto-Uchiyama 3 + Benaloh log 2 n log 2 r + Naccache-Stern log 2 n log 2 r + Joye-Libert log 2 n log 2 r + Paillier 2 + Damgard-Jurik log 2 n s+1 log 2 n s + BGN log 2 n log 2 r +, one BGV w/o batching 6.8 10 7 +, BGV with batching 6.8 10 4 +, Gentry-Halevi 8 10 5 +, LTV 1.28 10 5 +, Slide 20

Further Primitives t, n - Threshold Encryption, Signatures: Split private key in parts and distribute them to n parties Order-preserving encryption: If m 1 < m 2 then E m 1 < E m 2, similar for > Key-homomorphic pseudo-random number generators: PRNG s 0 PRNG s 1 = PRNG s 0 s 1 Homomorphic Hashes, Signatures Identity-based encryption Attribute-based encryption Commutative encryption E A E B x = E B E A x Slide 22

Further Primitives Slide 23

Multi-Party Slide 25

Multi-Party Example Data-Mining over patient records from several clinics/hospitals Slide 26

Multi-Party Usage Network Security Identification and mitigation of wide-scale attacks (early detection and characterization) DOMINO (Yegneswaran et al. 2004), a distributed IDS specifies lack of privacy as major issue Efficient PPDM needed for traffic classification, signature extraction and propagation analysis Profiling and Performance Analysis Collaboration of largest network providers would allow calculation of global internet statistics Estimation of traffic growth rate was overestimated in nineties by a factor of 10 Slide 27

Multi-Party Usage Logs of first 4 days used to learn mean μ and standard deviation σ Anomalies were detected for the remaining 7 days Slide 28

Multi-Party Goals Preserve Input Confidentiality User A doesn t fully trust User B Still wants to jointly compute a function over both inputs None of them should learn the input of the other party However, having more than one party: No guarantees about inference attacks a + b 2 Slide 30

Multi-Party System Users want to jointly compute a function f x, y Represent as binary circuit Minimize number of gates Guarantee that nothing else is learned about any other input, than what can be derived from own input and result Slide 31

Multi-Party System Slide 32

Multi-Party Solution Result Delivery Secure Computation Secret Sharing Slide 33

Related Topics Slide 35

Related Issues PPDM 1/2 Privacy-Preserving Data Mining Perform Data-Mining upon anonymized data Privacy-guarantees (Differential privacy) Collection Anonymization Publishing Slide 36

Related Issues PPDM 2/2 k-anonymity (Sweeney and Samarati 1998) ZIP Code Age Disease 1 47677 29 Heart Disease 2 47602 22 Heart Disease 3 47678 27 Heart Disease 4 47905 43 Flu 5 47909 52 Heart Disease 6 47906 47 Cancer 7 47605 30 Heart Disease 8 47673 36 Cancer 9 47607 32 Cancer k=3 ZIP Code Age Disease 1 476** 2* Heart Disease 2 476** 2* Heart Disease 3 476** 2* Heart Disease 4 4790* 40 Flu 5 4790* 40 Heart Disease 6 4790* 40 Cancer 7 476** 3* Heart Disease 8 476** 3* Cancer 9 476** 3* Cancer Slide 37

Related Issues PPDM Privacy vs. Utility Choice of group elements influences utility Information loss due to no optimization Show case: Same level of anonymization but different accuracy ID ZIP Code Age Disease 1 47602 22 Heart Disease 2 47678 27 Flu 3 47905 43 Flu 4 47906 47 Cancer 5 47705 30 Heart Disease 6 47707 32 Cancer Original table gid ID ZIP Code Age Disease 1 1 476[02-78] [22-27] Heart Disease 1 2 476[02-78] [22-27] Flu 2 3 4790[5-6] [43-47] Flu 2 4 4790[5-6] [43-47] Cancer 3 5 4770[5-7] [30-32] Heart Disease 3 6 4770[5-7] [30-32] Cancer Good utility gid ID ZIP Code Age Disease 1 1 47[602-906] [22-47] Heart Disease 2 2 47[678-705] [27-30] Flu 3 3 47[707-905] [32-43] Flu 1 4 47[602-906] [22-47] Cancer 2 5 47[678-705] [27-30] Heart Disease 3 6 47[707-905] [32-43] Cancer Poor utility Slide 38

Related Issues Attacks Typical Attacks Collusion 2 parties deliberately collaborate Inference Try to learn secret from answers Not following the security model (HBC, Covert) Using wrong input Performing different operations Stop after receiving own information (Fairness) Slide 40

What do we do with all of this? Construct privacy-preserving protocols Comparisons of elements (strings, vectors, ) Set operations Build a distributed DB with some of the schemes applied secdb Homomorphic MACs/signatures for secure network coding Inference control despite encrypted queries Slide 41

Thank you. Discussion. Slide 42

Backup Slide 43

Outsourcing Situation Origin Local infrastructure/resources too weak Need for new/centralized functionality Pros Cheap resources and efficient scaling Increased Availability Big Data analyses Cons Confidentiality and integrity of information Where is my data? Slide 44

Two-Party Private input from 2 parties Trusted Third Party Slide 45

Multi-Party Situation Origin Perform a joint computation on several inputs Private input on man sides Slide 46

Two-Party Situation Origin Perform a joint comparison Private input on both sides Slide 47

Two-Party Private input from 2 parties How to operate without handing out data?? Slide 48

Outsourcing Example 2 Slide 49