Benny Pinkas, Bar-Ilan University Can el elec ecti tions, ons, - PowerPoint PPT Presentation

Shai Halevi, IBM T.J. Watson Yehuda uda Lindel dell, Bar-Ilan University Benny Pinkas, Bar-Ilan University

 Can el elec ecti tions, ons, auction ions, , statistic tistical al analysis lysis of distributed parties’ data really be carried out using ing secur ure e computat utation? ion?  Does s our r model of secure ure comput utation ation real ally ly model l the needs eds of these se appl plic ication ations? ◦ And I’m not talking about efficiency concerns…

 In all known own protoco tocols, ls, all parties rties mu must t interact eract simul ultaneously taneously  Ar Arguably guably, , this s is a huge ge obstacl tacle e to adopti ption on ◦ A department wants to carry out a faculty tenure vote using a secure protocol  When do they run the protocol? ◦ A website wishes to securely aggregate statistics about users  Each user gives her information only when connected

 Th The e sec ecure ure comp mput utation ation mo model: el:

 Th The e rea eal-world world we web mo model: el:

 Can secure ecure comp mputation utation be e ma made e non- simul ultaneous taneous? ◦ A natural theoretical question  Deepens our understanding of the required communication model for secure computation ◦ Important ramifications to practice  Especially if this can be done efficiently  Note: fully homomorphic encryption does not solve the problem

 Pa Parti ties es ◦ One server 𝑻 ◦ 𝒐 parties 𝑸 𝟐 , … , 𝑸 𝒐  Comm mmunic unication ation mo model el ◦ Each party interacts with the server exactly ctly once ce  In all of our protocols, this interaction is a single message from the server to the party and back, but this is not essential to the model ◦ At the end, the server obtains the output  A p A protoco tocol for this s set etting ting is called ed one e pass ss

 Si Since e the e protocol ocol is one-pas pass, s, the e computat utation ion carri ried ed out by 𝑸 𝒋+𝟐 , … , 𝑸 𝒐 and nd 𝑻 is of the resid sidual ual function ction 𝒉 𝒋 𝒚 𝒋+𝟐 , … , 𝒚 𝒐 = 𝒈(𝒚 𝟐 , … , 𝒚 𝒋 , 𝒚 𝒋+𝟐 , … , 𝒚 𝒐 )  If If 𝑸 𝒋+𝟐 , … , 𝑸 𝒐 and nd 𝑻 are re all corrup rupted ted and d colluding, ding, they ey can comp mpute ute 𝒉 𝒋 𝒚 𝒋+𝟐 , … , 𝒚 𝒐 and d 𝒉 𝒋 𝒚′ 𝒋+𝟐 , … , 𝒚′ 𝒐 and nd so on, on many ny inputs uts ◦ This is not allowed in classic secure computation but is inherent herent to the one-pass model

 A A dec ecomposi mpositi tion on of a function ction 𝒈 𝒚 𝟐 , … , 𝒚 𝒐 is a seri ries es of 𝒐 two wo-inp input func ncti tions ons 𝒈 𝟐 , … 𝒈 𝒐 such uch that t 𝒈 𝒐 ⋯ 𝒈 𝟑 𝒈 𝟐 𝒚 𝟐 , 𝒚 𝟑 ⋯ 𝒚 𝒐 = 𝒈 𝒚 𝟐 , … , 𝒚 𝒐 ◦ In the one-pass setting 𝑸 𝒋 (and 𝑻 ) compute 𝒈 𝒋 and pass on the result ◦ If 𝑸 𝒋+𝟐 , … , 𝑸 𝒐 and 𝑻 are all corrupted and colluding, then they learn the value 𝒈 𝒋 ⋯ 𝒈 𝟑 𝒈 𝟐 𝒚 𝟐 , 𝒚 𝟑 ⋯ 𝒚 𝒋

 Ho How w mu much h does es 𝒈 𝒋 ⋯ 𝒈 𝟑 𝒈 𝟐 𝒚 𝟐 , 𝒚 𝟑 ⋯ 𝒚 𝒋 revea eveal?  If it reveals veals nothing hing more e than n wh what can be comp mputed uted by the e res esidual idual functio ction 𝒉 𝒋 𝒚 𝒋+𝟐 , … , 𝒚 𝒐 = 𝒈(𝒚 𝟐 , … , 𝒚 𝒋 , 𝒚 𝒋+𝟐 , … , 𝒚 𝒐 ) then n it is minimal al disclo losure sure

 Def efine ine 𝒈 𝟐 𝒚 𝟐 = 𝒚 𝟐 , , 𝒈 𝟑 𝒛 𝟐 , 𝒚 𝟑 = 𝒛 𝟐 , 𝒚 𝟑 = (𝒚 𝟐 , 𝒚 𝟑 ) , , and d so on (all are ident ntity ity function ctions), s), and d 𝒈 𝒐 = 𝒈 ◦ If 𝑸 𝒐 and 𝑻 are corrupted, all is revealed  Consid sider er the SUM M function ction and define ne 𝒈 𝒋 𝒛 𝒋−𝟐 , 𝒚 𝒋 = 𝒛 𝒋−𝟐 + 𝒚 𝒋 ◦ Given 𝒛 𝒋 can learn nothing more than sum of first 𝒋 ◦ But this is computable from the residual function ◦ This is minimal disclosure

 We We follow w the e real eal/ideal /ideal simu mulation lation paradi radigm gm  Security urity is formal aliz ized ed as in the stand ndard rd setti ting ng wi with one except ption ion ◦ If the server is corrupted, then the adversary is given 𝒈 𝒋 (𝒚 𝟐 , … , 𝒚 𝒋 ) where 𝑸 𝒋 is the last honest party  A p protocol tocol one-pa pass ss secu cure rely ly co compute mputes s a deco compo mpositi sition on if there e exists sts an ideal simula ulator tor such ch that t real and ideal are indistingui stinguisha shabl ble ◦ The protocol is opti tima mall lly private vate if the decomposition is minimum disclosure

 Can this s notion on be e achieved eved?  If yes, s, ◦ Under what assumptions? ◦ At what cost?

 Bi Binary ary symm mmetric etric func ncti tions ons ◦ Depend only on Hamming weight of input ◦ E.g., AND, OR, PARITY, MAJORITY  Concise ise truth th table e represent presentatio ation ◦ Example: the MAJORITY function over 5 bits Hamming ng Outpu put Weight ght In general, this 0 0 contains the 1 0 function output on the relevant 2 0 weight 3 1 4 1 5 1

 Define ine 𝒛 𝟐 = 𝒈 𝟐 𝒚 𝟐 to be the truth th table, e, wi with the 1 st st row w erased ased if 𝒚 𝟐 = 𝟐 and nd the last t row w er erased ased if 𝒚 𝟐 = 𝟏 Hamming ng Outpu put Weight ght 𝒚 𝟐 = 𝟐 0 0 1 0 2 0 3 1 4 1 𝒚 𝟐 = 𝟏 5 1

 Define ine 𝒈 𝟑 𝒛 𝟐 , 𝒚 𝟑 to be the trunc uncate ated d truth uth table, e, wi with the last remaining aining row w erased sed if 𝒚 𝟑 = 𝟏 and nd the e first st row w er erased ased if 𝒚 𝟑 = 𝟐 Hamming ng Outpu put Weight ght 𝒚 𝟑 = 𝟐 0 0 1 0 2 0 3 1 4 1 𝒚 𝟐 = 𝟏 5 1

 And so on… ◦ Note, each truth table can be efficiently computed from the previous one Hamming ng Outpu put Weight ght 𝒚 𝟑 = 𝟐 0 0 𝒚 𝟒 = 𝟐 1 0 2 0 𝒚 𝟔 = 𝟏 3 1 𝒚 𝟓 = 𝟏 4 1 𝒚 𝟐 = 𝟏 5 1 ◦ Indeed, the output of 𝑵𝑩𝑲(𝟏𝟐𝟐𝟏𝟏) = 𝟏

 Wh Why is this s minimum mum disclosure osure? ◦ The truth table reveals nothing more than the output of the function on the remaining inputs

 Main n tool – layer er rerandomi erandomizable zable en encryptio ryption ◦ Denote 𝑭 𝒒𝒍 (𝒚; 𝒔) and 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝒐+𝟐 𝒚; 𝒔 𝟐 , … , 𝒔 𝒐+𝟐 = 𝑭 𝒒𝒍 𝟐 ⋯ 𝑭 𝒒𝒍 𝒐+𝟐 𝒚; 𝒔 𝒐+𝟐 ⋯ ; 𝒔 𝟐 ◦ This is layer yer rerandom randomizab izable le if there exists an efficient procedure that rerandomizes all layers (given public keys) ◦ This can be constructed from any rerandomizable encryption, and highly ighly effi fici cientl ently y from ElGamal  Note: : all protocols ocols assume sume PK PKI (essential ssential here) re)

 Se Server rver 𝑻 en encrypts crypts the e truth th table le under der all parties’ keys ys ◦ Using rerandomizable layer encryption  For 𝒋 = 𝟐, … , 𝒐 (bu but t in any y order er) ◦ Party 𝑸 𝒋 retrieves current truth table from the server ◦ 𝑸 𝒋 removes the first or last remaining row, decrypts under its key, rerandomizes every entry of the truth table, and sends to 𝑻  After r all parti ties es conclude, ude, all that t remai ains ns is a single gle row, w, wh which h is the outpu put

 Majo jority rity function ction wi with 5 p 5 parti ties es Hamming ng Outpu put Weight ght 0 0 1 0 2 0 3 1 4 1 5 1

 Th The server ver 𝑻 co compute mputes s the encr crypte ypted d co conci cise se truth th table e ( 𝒒𝒍 𝟕 is the server’s public -key key) 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕

 𝑸 𝟐 wi with input ut 𝒚 𝟐 = 𝟏 erases erases 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕

 𝑸 𝟐 wi with input ut 𝒚 𝟐 = 𝟏 erases, erases, rem emove ves s its key ey and d rerandom randomizes izes 𝑭 𝒒𝒍 𝟑 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟑 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟑 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟑 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟑 ,…,𝒒𝒍 𝟕 𝟏; 𝒔 𝟑 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟑 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟑 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟑 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟑 , … , 𝒔 𝟕 𝑭 𝒒𝒍 𝟐 ,…,𝒒𝒍 𝟕 𝟐; 𝒔 𝟐 , … , 𝒔 𝟕