Collabora've,PrivacyPreserving DataAggrega'onatScale - PowerPoint PPT Presentation

Collabora've,
Privacy‐Preserving
 Data
Aggrega'on
at
Scale
 Michael
J.
Freedman
 Princeton
University
 Joint
work
with:


Benny
Applebaum,
Haakon
Ringberg,

 MaHhew
Caesar,

and
Jennifer
Rexford


Problem:
 Network
Anomaly
Detec'on


Collabora've
anomaly
detec'on
 • Some
aHacks
look
like
normal
traffic
 – e.g. ,
SQL‐injec'on,
applica'on‐level
DoS
 
 
 [Srivatsa
TWEB
‘08] 
 • Is
it
a
DDoS
aHack
or
a
flash
crowd?
 
[Jung
WWW
‘02]
 I’m
not
sure

 I’m
not
sure

 about
Beasty!
 about
Beasty!
 I’m
not
sure

 Google
 about
Beasty!
 Yahoo!
 

Bing


Collabora've
anomaly
detec'on
 • Targets
(vic'ms)
could
correlate
aHacks/aHackers
 
[Kad
IMC
’05],
[Allman
Hotnets
‘06],
[Kannan
SRUTI
‘06],
[Moore
INFOC
‘03] 
 “ Fool
us
once,
shame
 on
you.
Fool
us
N
 2mes,
shame
on
us. ” 
 Google
 Yahoo!
 

Bing


Problem:
 Network
Anomaly
Detec'on
 Solu'on: 
 • 

Aggregate
suspect
IPs
from
many
ISPs
 • 

Flag
those
IPs
that
appear
>
threshold
τ


Problem:
 Distributed
Ranking
 Solu'on:
 • 

Collect
domain
sta's'cs
from
many
users
 • 

Aggregate
data
by
domain


Problem:
 …
 Solu'on:
 • 
Aggregate
(id,
data)
from
many
sources
 • 
Analyze
data
grouped
by
id


But
what
about
privacy?
 What
inputs
are
submiHed?
 Who
submiHed
what?


Data
Aggrega'on
Problem
 • Many
par'cipants,
each
with
(key,
value)
observa'on
 • Goal:

Aggregate
observa'ons
by
key
 Key
 Values
 k 1
 





 

(
v a ,
v b
 ) 
 
 A 

 k 2
 





 

(
v i ,
v j ,
v k 
)
 
 A 

 …
 k n
 





 

(
v x
 )
 
 A 



Data
Aggrega'on
Problem
 • Many
par'cipants,
each
with
(key,
value)
observa'on
 • Goal:

Aggregate
observa'ons
by
key
 Key
 Values
 )
 k 1
 





 

(
v a ,
v b
 ) 
 F ( 
 A 

 )
 k 2
 





 

(
v i ,
v j ,
v k 
)
 
 A 

 F ( …
 )
 k n
 





 

(
v x
 )
 F ( 
 A 

 PDA: 

 
Only
release
the
value
column

 CR‐PDA: 
Plus
keys
whose
values
sa'sfy
some
func


Data
Aggrega'on
Problem
 • Many
par'cipants,
each
with
(key,
value)
observa'on
 • Goal:

Aggregate
observa'ons
by
key
 Key
 Values
 ?
 k 1
 





 

(
1,
1 
 ) 
 
 Σ 

 ≥
 τ
  ?
 k 2
 





 

(
1,
1,
1
)
 
 Σ 

 ≥
 τ
 …
 ?
 k n
 





 

(
1 
 )
 
 Σ 

 ≥
 τ
 PDA: 

 
Only
release
the
value
column

 CR‐PDA: 
Plus
keys
whose
values
sa'sfy
some
func


Goals
 • Keyword
privacy:

No
party
learns
anything
about
keys
 • Par'cipant
privacy:

No
party
learns
who
submiHed
what
 • Efficiency:

Scale
to
many
par'cipants,
each
with
many
inputs
 • Flexibility:

Support
variety
of
computa'ons
over
values
 • Lack
of
coordina'on:


 – No
synchrony
required,
individuals
cannot
prevent
progress
 – All
par'cipants
need
not
be
online
at
same
'me


Poten'al
solu'ons
 Keyword
 Par5cipant
 Lack
of
 Approach
 Privacy
 Privacy
 Efficiency
 Flexibility
 Coord
 Decentralized
 Garbled
 Circuit
 Yes 
Yes 
Very
Poor 
Yes 
No
 Evalua'on
 Mul'party
 Yes 
Yes 
Poor 
No 
No
 Set
Intersec'on


Security
 Efficiency
 • Weaken
security
assump'ons?
 – Assume
honest
but
curious
par'cipants?
 – Assume
no
collusion
among
malicious
par'cipants?

 • In
large/open
sedng,
easy
to
operate
mul'ple
nodes
 (so‐called
“Sybil
aHack”)


Towards
Centraliza'on?
 DB
 Par5cipants


Poten'al
solu'ons
 Keyword
 Par5cipant
 Lack
of
 Approach
 Privacy
 Privacy
 Efficiency
 Flexibility
 Coord
 Decentralized
 Garbled
 Circuit
 Yes 
Yes 
Very
Poor 
Yes 
No
 Evalua'on
 Mul'party
 Yes 
Yes 
Poor 
No 
No
 Set
Intersec'on
 Centralized
 Hashing
 No 
No 
Very
Good 
Yes 
Yes
 Inputs
 Network
 No 
Yes 
Very
Good 
Yes 
Yes
 Anonymiza'on


Towards
semi‐centraliza'on
 Proxy
 DB
 Assump5on:


 Proxy
and
DB
do
 Par5cipants
 not
collude


Poten'al
solu'ons
 Keyword
 Par5cipant
 Lack
of
 Approach
 Privacy
 Privacy
 Efficiency
 Flexibility
 Coord
 Decentralized
 Garbled
 Circuit
 Yes 
Yes 
Very
Poor 
Yes 
No
 Evalua'on
 Mul'party
 Yes 
Yes 
Poor 
No 
No
 Set
Intersec'on
 Centralized
 Hashing
 No 
No 
Very
Good 
Yes 
Yes
 Inputs
 Network
 No 
Yes 
Very
Good 
Yes 
Yes
 Anonymiza'on
 This
 Yes 
Yes 
Good 
Yes 
Yes
 Work


Privacy
Guarantees
 • Privacy
of
PDA
against
malicious
en''es
and
par'cipants

 – Malicious
par'cipant
may
collude
with
either
malicious
 proxy
or
DB,
but
not
both
 – May
violate
 correctness
 in
almost
arbitrary
ways
 • Privacy
of
CR‐PDA
against
honest‐but‐curious
en''es
 and
malicious
par'cipants



PDA
Strawman
#0
 k
 Par5cipant
 Proxy
 DB
 1. 
Client
sends
input
k


PDA
Strawman
#1
 E DB (k)
 E DB (k)
 Par5cipant
 Proxy
 DB
 k # 1. 
Client
sends
encrypted
input
k
 ds
 1.1.1.1 1 2. 
Proxy
batches
and
retransmits
 2.2.2.2 9 3. 
DB
decrypts
input
 Violates
 keyword
 privacy


PDA
Strawman
#2
 E DB (
H
(k)
)
 E DB (
H
(k)
)
 Par5cipant
 Proxy
 DB
 H (k) # 1. 
Client
sends
hashes
of
k
 H(1.1.1.1) 1 ds
 2. 
Proxy
batches
and
retransmits
 H(2.2.2.2) 9 3. 
DB
decrypts
input
 S5ll
violates
keyword
privacy:
 IPs
drawn
from
small
domains


PDA
Strawman
#3
 E DB (
F s
 (k)
)
 E DB (
F s 
(k)
)
 Secret
s
 Par5cipant
 Proxy
 DB
 F s (k) # 1. 
Client
sends
keyed
hashes
of
k
 F s (1.1.1.1) 1 – Keyed
hash
func'on
(PRF)
 F s (2.2.2.2) 9 – Key
s
known
only
by
proxy
 But
how
do
clients

 learn
F s
 (IP))
?


Our
Basic
PDA
Protocol
 F s 
(k)
 E DB (
F s 
(k)
)
 E DB (
F s 
(k)
)
 OPRF
 Secret
s
 Par5cipant
 Proxy
 DB
 F s (k) # 1. 
Client
sends
keyed
hashes
of
k
 F s (1.1.1.1) 1 – F s (x)
learned
by
client
through

 F s (2.2.2.2) 9 
Oblivious
PRF
protocol
 2. Proxy
batches
and
retransmits
keyed
hash
 3. DB
decrypts
input


Basic
CR‐PDA
Protocol
 F s 
(k)
 E DB (
F s 
(k)
)
 retransmits
 E DB (E PRX 
(k))
 Secret
s
 E PRX 
(k)
 Par5cipant
 Proxy
 DB
 F s (k) F s (k) # Enc’d k # 1. Client
sends
keyed
hashes
of
k,
 F s (1.1.1.1) F s (1.1.1.1) 1 E PRX ( 1.1.1.1 ) 1 
and
encrypted
k
for
recovery
 F s (2.2.2.2) F s (2.2.2.2) 9 E PRX ( 2.2.2.2 ) 9 2. Proxy
retransmits
keyed
hash
 3. DB
decrypts
input
 4. Iden'fy
rows
to
release
and
transmit
E PRX 
(k)
to
proxy
 5. Proxy
decrypts
k
and
releases


Privacy
Proper'es
 F s 
(k)
 E DB (
F s 
(k)
)
 retransmits
 E DB (E PRX 
(k))
 Secret
s
 E PRX 
(k)
 Par5cipant
 Proxy
 DB
 • Keyword
privacy:

Nothing
learned
about
unreleased
keys
 • Par'cipant
privacy:

Key
  
Par'cipant
not
learned
 • Any
coali'on
of
HBC
par'cipants
 • HBC
coali'on
of
proxy
and
par'cipants
 • HBC
database


Privacy
Proper'es
 F s 
(k)
 E DB (
F s 
(k)
)
 retransmits
 E DB (E PRX 
(k))
 Secret
s
 E PRX 
(k)
 Par5cipant
 Proxy
 DB
 • Keyword
privacy:

Nothing
learned
about
unreleased
keys
 • Par'cipant
privacy:

Key
  
Par'cipant
not
learned
 • Any
coali'on
of
HBC
par'cipants
 malicious
par'cipants
 • HBC
coali'on
of
proxy
and
par'cipants
 • HBC
database
 HBC
coali'on
of
DB
and
par'cipants


More
Robust
PDA
Protocol
 F s 
(k)
 E DB (
F s 
(k)
)
 retransmits
 E DB (E PRX 
(k))
 Secret
s
 E PRX 
(k)
 Par5cipant
 Proxy
 DB
 • ORPF


  


Encrypted
OPRF
Protocol
 • Ciphertext
re‐randomiza'on
by
proxy
 • Proof
by
par'cipant
that
submiHed
k’s
match
 • Any
coali'on
of
HBC
par'cipants
 malicious
par'cipants
 • HBC
coali'on
of
proxy
and
par'cipants
 • HBC
database
 HBC
coali'on
of
DB
and
par'cipants