View
214
Download
0
Category
Preview:
Citation preview
1
Cryptography: on the Hope for Privacy in a Digital World
Omer ReingoldVVeizmann and Harvard CRCS
2
So, is there Hope for Privacy?
• No! Privacy is doomed! Enjoy your sandwiches …
: Is this what we invited you for?
• On second thought, the digital world gives new hope for privacy!– Selling digital goods (w/ Bill Aiello
and Yuval Ishai) – Keyword database search (w/ Mike Freedman,
Yuval Ishai, and Benny Pinkas)
3
Day to Day Breaches of Privacy
• When/how can it be better?
4
Anonymity?
Alice
BobAnd Betty, when you call me,you can call me Al!
I can call you Betty,
Call me Al ......
Not in this Talk!
5
Selling Digital Goods
• How good are digital goods?– Entertainment: TV, music, video, books, software– Business: news, stock quotes, patents, layoff
rumors– Research: papers, research databases, clip-art
• What’s special about digital goods?– Typically of unlimited supply (easy to duplicate).– Easy to communicate and manipulate
• Main goal: protect the privacy of clients– What – When– How much– (But not who)
6
Example
Vendor
Buyer
‘ ’,
Key of
Encrypted Individually
7
Oblivious Transfer (OT) [R], 1-out-of-N [EGL]:
– Input:• Vendor: x1,x2,…,xn
• Buyer: 1 ≤ j ≤ n
– Output:• Vendor: nothing• Buyer: xj
– Privacy:• Vendor: learns nothing about j• Buyer: learns nothing about xi for i ≠ j
• 4
– Not necessarily two messages
– Related notions: Private Information Retrievable [CGKS] / Symmetrically- Private Information Retrievable [GIKM]
X1 …X2 X3 X4 Xn
Xj
j
8
Priced OT [AIR]
Vendor
BuyerInitial payment $ b0
Set b=b0
Vendor
Buyer
Prices: p1, p2 , …
pnItems: k1, k2, …
kni
ki b← b - pi
k0, p0=0,
9
Comparison with E-cash [Cha85,CFN88,...]
E-cash Priced OTPayment digital anyGoods any digitalHides who what +Access to goods anonymous any
Buyer Vendor
10
General Perspective
• Priced OT is an instance of secure two-party computation.
• Theoretical plausibility result are known [Yao,GMW].
• However: General solutions are costly (computation, bandwidth, rounds).
• A major endeavor in cryptography: Identifying interesting specific problems and suggesting more efficient solutions.
11
Tool: Homomorphic Encryption
Plaintexts from (G,+)
• E(a),E(b) E(a+b) E(a),c E(c·a)
• |G| large prime
• Can use either additive G=ZP or multiplicative GZ*
P
• In particular, can use El-Gamal.
12
Conditional Disclosure of Secrets [GIKM,AIR]
Buyer
• Honest Buyer: V(q) = True • How to protect against a malicious Buyer?
– Method 1: Buyer proves in ZK that V(q) = True;– Method 2: Vendor disclose a subject to the
condition V(q) = True.
• Notation: CDS( a ; V(q) )
E(q),pk
E(a)
Vendor (sk,pk) E(CDS( a ; V(q) )) a
13
Conditional Disclosure of Secrets - Implementation
Buyer
a,q,i G CDS(a ; q=i) : a+r(q-i) r R{1,…,|G|}
E is homomorphic - E(CDS( a ; V(q) )) can be computed from E(q)
• Information-theoretic security for Vendor (hides a).
• Need to verify “validity” of pk; Easy for El-Gamal!
E(q),pk
(sk,pk) E(CDS( a ; V(q) ))
Vendor a
14
Application: 1-Round OT* [AIR,NP]
(sk,pk)E(q),pk Vendo
rBuyer
x1 x2 xnq
E(CDS(x1 ; q =1)), … , E(CDS(xn ; q =n))
* Weakened / incomparable notion of security vs. simulation:• Vendor’s security: purely information-theoretic• Buyer’s security: privacy only.
15
Database Search
• OT/PIR/SPIR allow to privately retrieve the ith entry of a database. Efficiency depends linearly (at least) on the size of the database.
• Sometime this is not enough. For example, consider a list of fraudulent card numbers. A merchant wants to check if a particular number is in the least.
• Use OT/PIR?– Table of 1016 ≈ 253 entries, 1 if fraudulent, 0
otherwise?• Works on supporting more general database search.
16
Keyword Search (KS): definition
• Input:– Server: database X={ (xi,pi ) } , 1 ≤ i ≤ N
• xi is a keyword (e.g. number of a corrupt card)
• pi is the payload (e.g. why card is corrupt)
– Client: search word w (e.g. credit card number)
• Output:– Server: nothing– Client:
• pi if i : xi = w
• otherwise nothing
Client output: (xj ,pj ) iff w=xj
…(x1,p1) (xn,pn )(x2,p2)Server:
Client: w
17
Conclusions
•Our expectation of privacy in the “digital world” should not be bounded to our “physical world” experiences.
•The ability to duplicate, manipulate and communicate digital information is key.
•Very powerful cryptographic tool in the form of secure function evaluation.
•Research on efficient instantiations, possibly with some security relaxations.
Recommended