Status of security research - GeneCloud

Secure Computation Martin Beck

Institute of Systems Architecture, Chair of Privacy and Data Security

Dresden, 05.02.2015

TU Dresden, 27.02.2015 Slide 2

Index

Secure Computation

Homomorphic Encryption • The Cloud problem (overview & example) • System properties • Available systems • Further primitives

Multi-Party Computation • Usage examples • Properties

Related Topics • Privacy-preserving publication of data • More interesting things


Index

Secure Computation




TU Dresden, 27.02.2015 Slide 4 Secure Computation

Homomorphic Encryption


Cloud – Overview

Secure Computation

Public Cloud


Top Data Breaches

Secure Computation

101 104

110

145

76

56

152 150

50

50

94

3.8 24

60

4.9

40

2012 2013 2014 2011


Cloud – Services

Secure Computation


Cloud – Interesting cases

Secure Computation

Storage • Use only storage capacity Compute • Use storage and compute capacity of provider


Cloud – Storage

Secure Computation

How to share? Cryptographic Access Control How to search? Searchable Encryption How much may provider learn? • Metadata of files? • Size/time/location of edits? • Access patterns?


Cloud – Compute

Secure Computation

• Decrypt then process? • Secure Computation!


Homomorphic Encryption – Goals

Secure Computation

Preserve Input Confidentiality • User A doesn’t fully trust Cloud • Still wants to use provided resources • Cloud should not learn private inputs of A However, having more than one party: • It only guarantees that the actual input will not get known • No guarantees about inference attacks

𝑎 + 𝑏

2


Index

Secure Computation





Homomorphic Encryption

Secure Computation

Let 𝐸() be an encryption system Let ⊗ denote an operation upon ciphertexts Let × denote an operation upon plaintexts 𝐸() is called a homomorphic encryption system (HE) if

𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 × 𝑦) At least one such homomorphism must exist for any HE.


Homomorphic Encryption – Additive / Multiplicative

Secure Computation

additive HE: • Supports additions over plaintexts:

𝐸 𝑥 ⊕ 𝐸 𝑦 = 𝐸(𝑥 + 𝑦) multiplicative HE: • Supports multiplications over plaintexts:

𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 ∗ 𝑦)


Homomorphic Encryption – Somewhat/Fully Homomorphic

Secure Computation

somewhat HE: • Supports both operations:

𝐸 𝑥 ⊕ 𝐸 𝑦 = 𝐸 𝑥 + 𝑦 𝐸 𝑥 ⊗ 𝐸 𝑦 = 𝐸(𝑥 ∗ 𝑦)

But only a limited number of multiplications Similarly for a leveled HE system. fully HE: • Supports an unlimited number of both operations • Can evaluate arbitrary boolean circuits


Index

Secure Computation





Homomorphic Encryption – Available Systems

Secure Computation

RSA: • Everything mod𝑛 • 𝑚 - plaintext, 𝑒 - public key, 𝑐 - ciphertext

𝑐1 = 𝑚1𝑒 , 𝑐2 = 𝑚2

𝑒 • Multiplicative HE: 𝑘 – plaintext constant

𝑐1 ∗ 𝑐2 = 𝑚1𝑒 ∗ 𝑚2

𝑒 = 𝑚1 ∗ 𝑚2𝑒

𝑐1𝑘 = 𝑚1

𝑒𝑘 = 𝑚1𝑒𝑘 = 𝑚1

𝑘𝑒 Limitations: • Deterministic, cannot encrypt 0

ElGamal as indeterministic example


Homomorphic Encryption – Available Systems

Secure Computation

Modular exponentiation: (basis for many additive schemes) • Everything mod𝑛 • 𝑚 - plaintext, 𝑔 - public key (group generator), 𝑐 - ciphertext

𝑐1 = 𝑔𝑚1 , 𝑐2 = 𝑔𝑚2 • Additive HE: 𝑘 – plaintext constant

𝑐1 ∗ 𝑐2 = 𝑔𝑚1 ∗ 𝑔𝑚2 = 𝑔𝑚1+𝑚2

𝑐1𝑘 = 𝑔𝑚1

𝑘= 𝑔𝑚1𝑘

Limitations: • Deterministic, no cryptosystem – not a trapdoor function


Homomorphic Encryption – Semantic Security

Secure Computation

Indeterministic Encryption 𝑐 = 𝐸 𝑥, 𝑟 , 𝑐′ = 𝐸 𝑥, 𝑟′

• Indistinguishable ciphertexts

• Prevents:

• Dictionary attacks (precomputed ciphertexts) • Bruteforcing of possible plaintexts


Homomorphic Encryption – Available Systems Overview

Secure Computation

Cryptographic Scheme Expansion Operation

RSA 1 ·

Goldwasser-Micali log2 𝑛 ⊕

ElGamal 2 + or ·

Okamoto-Uchiyama 3 +

Benaloh log2 𝑛 log2 𝑟 +

Naccache-Stern log2 𝑛 log2 𝑟 +

Joye-Libert log2 𝑛 log2 𝑟 +

Paillier 2 +

Damgard-Jurik log2 𝑛𝑠+1 log2 𝑛𝑠 +

BGN log2 𝑛 log2 𝑟 +, 𝑜𝑛𝑒 ⋅

BGV w/o batching 6.8 · 107 +,·

BGV with batching 6.8 · 104 +,·

Gentry-Halevi 8 · 105 +,·

LTV 1.28 ⋅ 105 +,·


Index

Secure Computation





Further Primitives

Secure Computation

𝑡, 𝑛 - Threshold Encryption, Signatures: • Split private key in parts and distribute them to 𝑛 parties

Order-preserving encryption: • If 𝑚1 < 𝑚2 then 𝐸 𝑚1 < 𝐸 𝑚2 , similar for > Key-homomorphic pseudo-random number generators: • 𝑃𝑅𝑁𝐺 𝑠0 ⊗𝑃𝑅𝑁𝐺 𝑠1 = 𝑃𝑅𝑁𝐺 𝑠0 × 𝑠1

Homomorphic Hashes, Signatures Identity-based encryption Attribute-based encryption Commutative encryption 𝐸𝐴 𝐸𝐵 𝑥 = 𝐸𝐵 𝐸𝐴 𝑥


Further Primitives

Secure Computation


Index

Secure Computation





Multi-Party


Multi-Party – Example

Secure Computation

Data-Mining over patient records from several clinics/hospitals


Multi-Party – Usage

Secure Computation

Network Security • Identification and mitigation of wide-scale attacks (early

detection and characterization) • DOMINO (Yegneswaran et al. 2004), a distributed IDS specifies

lack of privacy as major issue • Efficient PPDM needed for traffic classification, signature

extraction and propagation analysis

Profiling and Performance Analysis • Collaboration of largest network providers would allow

calculation of global internet statistics • Estimation of traffic growth rate was overestimated in nineties

by a factor of 10


Multi-Party – Usage

Secure Computation

Logs of first 4 days used to learn mean μ and standard deviation σ Anomalies were detected for the remaining 7 days


Index

Secure Computation





Multi-Party – Goals

Secure Computation

Preserve Input Confidentiality • User A doesn’t fully trust User B • Still wants to jointly compute a function over both inputs • None of them should learn the input of the other party However, having more than one party: • No guarantees about inference attacks

𝑎 + 𝑏

2


Multi-Party – System

Secure Computation

Users want to jointly compute a function 𝑓 𝑥, 𝑦 • Represent as binary circuit • Minimize number of gates

Guarantee that nothing else is learned about any other input, than what can be derived from own input and result


Multi-Party – System

Secure Computation


Multi-Party – Solution

Secure Computation

Secret Sharing

Secure Computation

Result Delivery


Index

Secure Computation





Related Topics


Related Issues – PPDM 1/2

Secure Computation

Privacy-Preserving Data Mining • Perform Data-Mining upon anonymized data • Privacy-guarantees (Differential privacy)

Anonymization

Collection Publishing


Related Issues – PPDM 2/2

Secure Computation

k-Anonymity (Sweeney and Samarati 1998)

ZIP Code Age Disease

1 47677 29 Heart Disease



4 47905 43 Flu


6 47906 47 Cancer


8 47673 36 Cancer

9 47607 32 Cancer

ZIP Code Age Disease

1 476** 2* Heart Disease



4 4790* ≥40 Flu

5 4790* ≥40 Heart Disease

6 4790* ≥40 Cancer


8 476** 3* Cancer

9 476** 3* Cancer

k=3


Related Issues – PPDM Privacy vs. Utility

Secure Computation

ID ZIP Code Age Disease


2 47678 27 Flu

3 47905 43 Flu

4 47906 47 Cancer


6 47707 32 Cancer

gID ID ZIP Code Age Disease

1 1 476[02-78] [22-27] Heart Disease

1 2 476[02-78] [22-27] Flu

2 3 4790[5-6] [43-47] Flu

2 4 4790[5-6] [43-47] Cancer

3 5 4770[5-7] [30-32] Heart Disease

3 6 4770[5-7] [30-32] Cancer

gID ID ZIP Code Age Disease

1 1 47[602-906] [22-47] Heart Disease

2 2 47[678-705] [27-30] Flu

3 3 47[707-905] [32-43] Flu

1 4 47[602-906] [22-47] Cancer

2 5 47[678-705] [27-30] Heart Disease

3 6 47[707-905] [32-43] Cancer

Original table

Poor utility Good utility

• Choice of group elements influences utility • Information loss due to no optimization • Show case: Same level of

anonymization but different accuracy


Index

Secure Computation





Related Issues – Attacks

Secure Computation

Typical Attacks • Collusion

• 2 parties deliberately collaborate

• Inference • Try to learn secret from answers

• Not following the security model (HBC, Covert)

• Using wrong input • Performing different operations • Stop after receiving own information (Fairness)


What do we do with all of this?

Secure Computation

• Construct privacy-preserving protocols • Comparisons of elements (strings, vectors, …) • Set operations

• Build a distributed DB with some of the schemes applied “secDB” • Homomorphic MACs/signatures for secure network coding • Inference control despite encrypted queries


Thank you.

Discussion.


Backup


Outsourcing – Situation

Secure Computation

Origin • Local infrastructure/resources too weak • Need for new/centralized functionality

Pros • Cheap resources and efficient scaling • Increased Availability • Big Data analyses

Cons • Confidentiality and integrity of information • Where is my data?


Two-Party

Secure Computation

Private input from 2 parties

Trusted Third Party


Multi-Party – Situation

Secure Computation

Origin • Perform a joint computation on several inputs • Private input on man sides


Two-Party – Situation

Secure Computation

Origin • Perform a joint comparison • Private input on both sides


Two-Party

Secure Computation

Private input from 2 parties How to operate without handing out data?

?


Outsourcing – Example 2

Secure Computation

Documents

Status of security research - GeneCloud