Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Secure Computation Martin Beck
Institute of Systems Architecture, Chair of Privacy and Data Security
Dresden, 05.02.2015
TU Dresden, 27.02.2015 Slide 2
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 3
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 6
Top Data Breaches
Secure Computation
101 104
110
145
76
56
152 150
50
50
94
3.8 24
60
4.9
40
2012 2013 2014 2011
TU Dresden, 27.02.2015 Slide 8
Cloud – Interesting cases
Secure Computation
Storage • Use only storage capacity Compute • Use storage and compute capacity of provider
TU Dresden, 27.02.2015 Slide 9
Cloud – Storage
Secure Computation
How to share? Cryptographic Access Control How to search? Searchable Encryption How much may provider learn? • Metadata of files? • Size/time/location of edits? • Access patterns?
TU Dresden, 27.02.2015 Slide 10
Cloud – Compute
Secure Computation
• Decrypt then process? • Secure Computation!
TU Dresden, 27.02.2015 Slide 11
Homomorphic Encryption – Goals
Secure Computation
Preserve Input Confidentiality • User A doesn’t fully trust Cloud • Still wants to use provided resources • Cloud should not learn private inputs of A However, having more than one party: • It only guarantees that the actual input will not get known • No guarantees about inference attacks
𝑎 + 𝑏
2
TU Dresden, 27.02.2015 Slide 12
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 13
Homomorphic Encryption
Secure Computation
Let 𝐸() be an encryption system Let ⊗ denote an operation upon ciphertexts Let × denote an operation upon plaintexts 𝐸() is called a homomorphic encryption system (HE) if
𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 × 𝑦) At least one such homomorphism must exist for any HE.
TU Dresden, 27.02.2015 Slide 14
Homomorphic Encryption – Additive / Multiplicative
Secure Computation
additive HE: • Supports additions over plaintexts:
𝐸 𝑥 ⊕ 𝐸 𝑦 = 𝐸(𝑥 + 𝑦) multiplicative HE: • Supports multiplications over plaintexts:
𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 ∗ 𝑦)
TU Dresden, 27.02.2015 Slide 15
Homomorphic Encryption – Somewhat/Fully Homomorphic
Secure Computation
somewhat HE: • Supports both operations:
𝐸 𝑥 ⊕ 𝐸 𝑦 = 𝐸 𝑥 + 𝑦 𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 ∗ 𝑦)
But only a limited number of multiplications Similarly for a leveled HE system. fully HE: • Supports an unlimited number of both operations • Can evaluate arbitrary boolean circuits
TU Dresden, 27.02.2015 Slide 16
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 17
Homomorphic Encryption – Available Systems
Secure Computation
RSA: • Everything mod𝑛 • 𝑚 - plaintext, 𝑒 - public key, 𝑐 - ciphertext
𝑐1 = 𝑚1𝑒 , 𝑐2 = 𝑚2
𝑒 • Multiplicative HE: 𝑘 – plaintext constant
𝑐1 ∗ 𝑐2 = 𝑚1𝑒 ∗ 𝑚2
𝑒 = 𝑚1 ∗ 𝑚2𝑒
𝑐1𝑘 = 𝑚1
𝑒𝑘 = 𝑚1𝑒𝑘 = 𝑚1
𝑘𝑒 Limitations: • Deterministic, cannot encrypt 0
ElGamal as indeterministic example
TU Dresden, 27.02.2015 Slide 18
Homomorphic Encryption – Available Systems
Secure Computation
Modular exponentiation: (basis for many additive schemes) • Everything mod𝑛 • 𝑚 - plaintext, 𝑔 - public key (group generator), 𝑐 - ciphertext
𝑐1 = 𝑔𝑚1 , 𝑐2 = 𝑔𝑚2 • Additive HE: 𝑘 – plaintext constant
𝑐1 ∗ 𝑐2 = 𝑔𝑚1 ∗ 𝑔𝑚2 = 𝑔𝑚1+𝑚2
𝑐1𝑘 = 𝑔𝑚1
𝑘= 𝑔𝑚1𝑘
Limitations: • Deterministic, no cryptosystem – not a trapdoor function
TU Dresden, 27.02.2015 Slide 19
Homomorphic Encryption – Semantic Security
Secure Computation
Indeterministic Encryption 𝑐 = 𝐸 𝑥, 𝑟 , 𝑐′ = 𝐸 𝑥, 𝑟′
• Indistinguishable ciphertexts
• Prevents:
• Dictionary attacks (precomputed ciphertexts) • Bruteforcing of possible plaintexts
TU Dresden, 27.02.2015 Slide 20
Homomorphic Encryption – Available Systems Overview
Secure Computation
Cryptographic Scheme Expansion Operation
RSA 1 ·
Goldwasser-Micali log2 𝑛 ⊕
ElGamal 2 + or ·
Okamoto-Uchiyama 3 +
Benaloh log2 𝑛 log2 𝑟 +
Naccache-Stern log2 𝑛 log2 𝑟 +
Joye-Libert log2 𝑛 log2 𝑟 +
Paillier 2 +
Damgard-Jurik log2 𝑛𝑠+1 log2 𝑛𝑠 +
BGN log2 𝑛 log2 𝑟 +, 𝑜𝑛𝑒 ⋅
BGV w/o batching 6.8 · 107 +,·
BGV with batching 6.8 · 104 +,·
Gentry-Halevi 8 · 105 +,·
LTV 1.28 ⋅ 105 +,·
TU Dresden, 27.02.2015 Slide 21
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 22
Further Primitives
Secure Computation
𝑡, 𝑛 - Threshold Encryption, Signatures: • Split private key in parts and distribute them to 𝑛 parties
Order-preserving encryption: • If 𝑚1 < 𝑚2 then 𝐸 𝑚1 < 𝐸 𝑚2 , similar for > Key-homomorphic pseudo-random number generators: • 𝑃𝑅𝑁𝐺 𝑠0 ⊗𝑃𝑅𝑁𝐺 𝑠1 = 𝑃𝑅𝑁𝐺 𝑠0 × 𝑠1
Homomorphic Hashes, Signatures Identity-based encryption Attribute-based encryption Commutative encryption 𝐸𝐴 𝐸𝐵 𝑥 = 𝐸𝐵 𝐸𝐴 𝑥
TU Dresden, 27.02.2015 Slide 24
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 26
Multi-Party – Example
Secure Computation
Data-Mining over patient records from several clinics/hospitals
TU Dresden, 27.02.2015 Slide 27
Multi-Party – Usage
Secure Computation
Network Security • Identification and mitigation of wide-scale attacks (early
detection and characterization) • DOMINO (Yegneswaran et al. 2004), a distributed IDS specifies
lack of privacy as major issue • Efficient PPDM needed for traffic classification, signature
extraction and propagation analysis
Profiling and Performance Analysis • Collaboration of largest network providers would allow
calculation of global internet statistics • Estimation of traffic growth rate was overestimated in nineties
by a factor of 10
TU Dresden, 27.02.2015 Slide 28
Multi-Party – Usage
Secure Computation
Logs of first 4 days used to learn mean μ and standard deviation σ Anomalies were detected for the remaining 7 days
TU Dresden, 27.02.2015 Slide 29
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 30
Multi-Party – Goals
Secure Computation
Preserve Input Confidentiality • User A doesn’t fully trust User B • Still wants to jointly compute a function over both inputs • None of them should learn the input of the other party However, having more than one party: • No guarantees about inference attacks
𝑎 + 𝑏
2
TU Dresden, 27.02.2015 Slide 31
Multi-Party – System
Secure Computation
Users want to jointly compute a function 𝑓 𝑥, 𝑦 • Represent as binary circuit • Minimize number of gates
Guarantee that nothing else is learned about any other input, than what can be derived from own input and result
TU Dresden, 27.02.2015 Slide 33
Multi-Party – Solution
Secure Computation
Secret Sharing
Secure Computation
Result Delivery
TU Dresden, 27.02.2015 Slide 34
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 36
Related Issues – PPDM 1/2
Secure Computation
Privacy-Preserving Data Mining • Perform Data-Mining upon anonymized data • Privacy-guarantees (Differential privacy)
Anonymization
Collection Publishing
TU Dresden, 27.02.2015 Slide 37
Related Issues – PPDM 2/2
Secure Computation
k-Anonymity (Sweeney and Samarati 1998)
ZIP Code Age Disease
1 47677 29 Heart Disease
2 47602 22 Heart Disease
3 47678 27 Heart Disease
4 47905 43 Flu
5 47909 52 Heart Disease
6 47906 47 Cancer
7 47605 30 Heart Disease
8 47673 36 Cancer
9 47607 32 Cancer
ZIP Code Age Disease
1 476** 2* Heart Disease
2 476** 2* Heart Disease
3 476** 2* Heart Disease
4 4790* ≥40 Flu
5 4790* ≥40 Heart Disease
6 4790* ≥40 Cancer
7 476** 3* Heart Disease
8 476** 3* Cancer
9 476** 3* Cancer
k=3
TU Dresden, 27.02.2015 Slide 38
Related Issues – PPDM Privacy vs. Utility
Secure Computation
ID ZIP Code Age Disease
1 47602 22 Heart Disease
2 47678 27 Flu
3 47905 43 Flu
4 47906 47 Cancer
5 47705 30 Heart Disease
6 47707 32 Cancer
gID ID ZIP Code Age Disease
1 1 476[02-78] [22-27] Heart Disease
1 2 476[02-78] [22-27] Flu
2 3 4790[5-6] [43-47] Flu
2 4 4790[5-6] [43-47] Cancer
3 5 4770[5-7] [30-32] Heart Disease
3 6 4770[5-7] [30-32] Cancer
gID ID ZIP Code Age Disease
1 1 47[602-906] [22-47] Heart Disease
2 2 47[678-705] [27-30] Flu
3 3 47[707-905] [32-43] Flu
1 4 47[602-906] [22-47] Cancer
2 5 47[678-705] [27-30] Heart Disease
3 6 47[707-905] [32-43] Cancer
Original table
Poor utility Good utility
• Choice of group elements influences utility • Information loss due to no optimization • Show case: Same level of
anonymization but different accuracy
TU Dresden, 27.02.2015 Slide 39
Index
Secure Computation
Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives
Multi-Party Computation • Usage examples • Properties
Related Topics • Privacy-preserving publication of data • More interesting things
TU Dresden, 27.02.2015 Slide 40
Related Issues – Attacks
Secure Computation
Typical Attacks • Collusion
• 2 parties deliberately collaborate
• Inference • Try to learn secret from answers
• Not following the security model (HBC, Covert)
• Using wrong input • Performing different operations • Stop after receiving own information (Fairness)
TU Dresden, 27.02.2015 Slide 41
What do we do with all of this?
Secure Computation
• Construct privacy-preserving protocols • Comparisons of elements (strings, vectors, …) • Set operations
• Build a distributed DB with some of the schemes applied “secDB” • Homomorphic MACs/signatures for secure network coding • Inference control despite encrypted queries
TU Dresden, 27.02.2015 Slide 44
Outsourcing – Situation
Secure Computation
Origin • Local infrastructure/resources too weak • Need for new/centralized functionality
Pros • Cheap resources and efficient scaling • Increased Availability • Big Data analyses
Cons • Confidentiality and integrity of information • Where is my data?
TU Dresden, 27.02.2015 Slide 45
Two-Party
Secure Computation
Private input from 2 parties
Trusted Third Party
TU Dresden, 27.02.2015 Slide 46
Multi-Party – Situation
Secure Computation
Origin • Perform a joint computation on several inputs • Private input on man sides
TU Dresden, 27.02.2015 Slide 47
Two-Party – Situation
Secure Computation
Origin • Perform a joint comparison • Private input on both sides
TU Dresden, 27.02.2015 Slide 48
Two-Party
Secure Computation
Private input from 2 parties How to operate without handing out data?
?