JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and - PowerPoint PPT Presentation

1 2 JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations Jean-Guillaume Dumas 1 ; Pascal Lafourcade 2 ; Jean-Baptiste Orfila 1 ; Maxime Puys 1 1

Public Key Infrastructure  Alice wants to securely reach a website (e.g. using « https ») Alice google.com Public key Private key 2

Public Key Infrastructure  Problem : Fake website ! ɢ oogle.com Alice google.com 3

Public Key Infrastructure  Certificates are delivered by a certification authority (CA) CA_1 Id: google.com Pub key: google.com … Sign: CA1 4

Public Key Infrastructure Id: ɢ oogle.com Pub key: …  Alice checks the certificate Sign: CA_Fake Id: CA1 ɢ oogle.com Pub key: … Sign: CA1 Alice google.com Id: google.com CA_1 => OK Pub key: CA_FAKE => KO … Sign: CA1 5

Trust between CA PKI_B CA_B CA_A CA_C PKI_A PKI_C User2 User1 6

Trust between CA PKI_B CA_B CA_A CA_C PKI_A PKI_C User2 User1 7

Network trust evaluation  Trust value between nodes 4 3/10 4/10 5/10 9/10 1 5 2 7/10 6/10 8/10 3 8

Network trust evaluation  Trust evaluation between P1 and P5 ? 4 3/10 4/10 5/10 9/10 1 5 2 7/10 6/10 8/10 3 ? 9

Trust Model [Jøsang 2007]  Trust metric:  T = (Trust, Distrust, Uncertainty) Positive Experiences 1 – Trust - Distrust Negative Experiences  Trust Aggregation:  Direct evaluation: 1 2 10

Trust Model [Jøsang 2007]  Trust metric:  T = (Trust, Distrust, Uncertainty) Positive Experiences 1 – Trust - Distrust Negative Experiences  Trust Aggregation (monoids based): Sequential (‘x’) Parallel (‘+’) 1 2 3 . . . . 1 2 11

Matrix representation  From a graph… …To a matrix T 12 T 13 T 14 ? 4 T 14 T 25 T 45 A = T 12 T 25 T 32 1 5 2 T 53 T 13 T 32 T 45 3 T 53  Trust aggregation [Dumas, Hossayni, 2012]  k: longest path between vertices  A k converges to global trust 12

Securely computing trust  How to securely compute matrix product ?  Conditions:  n players  1 secret input per player (i.e. the row)  1 common computation (i.e. A k ) 13

Outline Introduction 1. A secure multiparty dot product problem 2. State of the art a. Definitions and tools b. Data repartition problem c. A new dot product protocol 3. DSDP Security strenghtening of the DSDP protocol 4. 1 player corruption a. Collusion attacks b. Random Ring Order c. Conclusion 5. 14

Secure dot product: State of the Art  Usual approach: Column: All values owned by 1 player V = Row: All values owned by 1 player U = T12 T13 T14 U T . V  [Du et al. 2001]; [Amirbekyan et al. 2007]; [Wang et al. 2008];  ... 15

Homomorphic Encryptions  Homomorphic Encryptions:  E k (m1) E k (m2) = E k (m1+m2)  E k (m1) m2 = E k (m1.m2)  e.g. Cryptosystems of Paillier, Benaloh, Naccache- Stern…  Paillier’s cryptosystem: Ciphering/Deciphering based on modular exponentiations (« RSA like ») Cleartext space depends on each player’s parameters  Benaloh’s cryptosystem: Deciphering: computing an ‘‘ easy ’’ discrete log Common cleartext space 16

Dot product  Data repartition: Column: 1 secret value per player U T . V V = Row: All values owned by 1 player U = T12 T13 T14 17

Security notions  Protocol must achieve …  Correctness  Privacy  Safety  … despite adversaries …  Curious-but-honnest  Malicious  …Capable of cooperating 18

State of the Art  MPWP: [Dolev et al. ’10]  Securely computing weighted average  Benaloh’s cryptosystem  Communications cost: O(n 3 )  P-MPWP: (1 st contribution)  Adaptation w/ Paillier’s cryptosystem  Reduction of the communications: O(n 2 )  DSDP: (2 nd contribution)  Paillier’s cryptosystem  Communications cost: O(n)  Less security properties are verified 19

Distributed Secure Dot Product (DSDP)  0. Data repartition u1 u2 u3 P1 v2 P2 P3 v3 20

Distributed Secure Dot Product (DSDP)  1. Protection of P2 and P3 inputs -> ciphering u1 u2 u3 P1 P3 P2 v2 v3 v2 v3 21

Distributed Secure Dot Product (DSDP)  2. Data exchange u1 u2 u3 P1 v2 v3 P2 P3 22

Distributed Secure Dot Product (DSDP)  3. Homomorphic operations u2 u3 v2 v3 P1 P2 P3 23

Distributed Secure Dot Product (DSDP)  3. Homomorphic operations v3 u3 v2 u2 P1 P2 P3 24

Distributed Secure Dot Product (DSDP)  4. P1 data protection: adding randomness v3 u3 r3 v2 u2 r2 P1 P2 P3 25

Distributed Secure Dot Product (DSDP)  4. P1 data protection: homomorphic operations v3 u3 + r3 v2 u2 + r2 P1 P2 P3 26

Distributed Secure Dot Product (DSDP)  5. Data exchange P1 v3 u3 + r3 v2 u2 + r2 P2 P3 27

Distributed Secure Dot Product (DSDP)  6. Deciphering P1 v3 u3 + r3 v2 u2 + r2 P2 P3 28

Distributed Secure Dot Product (DSDP)  7. Reciphering with next player’s key P1 v3 u3 + r3 v2 u2 + r2 P2 P3 29

Distributed Secure Dot Product (DSDP)  8. Homomorphic operation P1 P2 P3 v3 u3 + r3 v2 u2 + r2 30

Distributed Secure Dot Product (DSDP)  8. Homomorphic operation P1 P2 P3 v2 u2 + r2 + v3 u3 + r3 31

Distributed Secure Dot Product (DSDP)  9. Data exchange P1 P2 P3 v2 u2 + r2 + v3 u3 r3 + 32

Distributed Secure Dot Product (DSDP)  10. Deciphering P1 P2 P3 v2 u2 + r2 + v3 u3 r3 + 33

Distributed Secure Dot Product (DSDP)  11. Reciphering with master player’s key P1 P2 P3 v2 u2 + r2 + v3 u3 r3 + 34

Distributed Secure Dot Product (DSDP)  12. Data exchange P1 v2 u2 + r2 + v3 u3 r3 + P2 P3 35

Distributed Secure Dot Product (DSDP)  13. Removing randomness v3 v2 u2 + r2 + u3 + r3 P1 P2 P3 36

Distributed Secure Dot Product (DSDP)  14. Adding missing data v3 u1 u1 + v2 u2 + u3 P1 P2 P3 37

Distributed Secure Dot Product (DSDP)  Properties:  Correctness  Security against one semi-honest adversary  Safety  O(n) communications  Automatic security verification  ProVerif 38

DSDP  Normal case P1 v3 u3 + r3 v2 u2 + r2 P2 P3 39

DSDP: P3 is compromised  Modified data sent from P3 instead of P1 P1 P2 P3 v3 x3 + y3 v2 x2 + y2 40

DSDP: P3 is compromised  Counter-measure: Signatures P1 v3 u3 + r3 P1 v2 u2 + r2 P2 P3 41

DSDP: P1 is compromised  Attack: replacing u3 and r3 P1 x3 v2 u2 + r2 P2 P3 42

DSDP: P1 is compromised  Only v2 is unknown! v2 u2 + r2 + x3 P1 P2 P3 43

DSDP: Counter-measure  Zero-Knowledge Proof of non trivial affine transform u2 r2 g g P1 P2 v2 u2 + r2 g 44

DSDP: Counter-measure  Zero-Knowledge Proof of non trivial affine transform Non trivial = ? = u2 values r2 g g P1 P2 v2 v2 u2 + r2 u2 r2 g = ? = g g . 45

DSDP: Collusion Attack 1  Normal case: v2 u2 + r2 P2 P1 v2 u2 + r2 + v3 u3 + r3 P3 P4 v2 u2 + r2 + v3 u3 r3 v4 u4 r4 + + + 46

DSDP: P1 and P3 corrupted  P3 extra data exchange: P2 P1 v2 u2 + r2 + v3 u3 r3 + P3 P4 47

DSDP: Collusion Attacks  Attacks conditions:  P1 corrupted  Honest player rounded by corrupted ones  Problem: players ’ location!  Counter-measure: Random Ring Order (RRO)  Players are randomly placed  d protocol repetitions using masked secrets 48

DSDP: Random Ring Order  Masked secret: v i = v i,1 + v i,2  Round 1: P1 v2,1 u2 + r2 P2 P3 v2,1 u2 + r2 + v3,1 u3 r3 + 49

DSDP: Random Ring Order  Masked secret: v i = v i,1 + v i,2  Round 2: P1 v3,2 u3 + r3’ P3 P2 v3,2 u3 + r3’ + v2,2 u2 r2’ + 50

DSDP: Random Ring Order  Masked secret: v i = v i,1 + v i,2  Last step: v2,1 u2 + v3,1 u3 + v3,2 u3 + v2,2 u2 P1 P3 P2 51

DSDP: Random Ring Order  Masked secret: v i = v i,1 + v i,2  Last step: v2,1 u2 + v2,2 u2 + v3,1 u3 v3,2 u3 + P1 P3 P2 52

DSDP: Random Ring Order  Masked secret: v i = v i,1 + v i,2  At the end: v2 u2 v3 u3 + P1 P3 P2 53

Security of RRO  Attacks successful if: Adversaries are well-placed at each round  Probabilist security:  #{Malicious Players} < #{Honests Players} => d=O(log n) rounds (in average)  Guaranteed security:  Even in the worst case( #{Malicious} = n-2) => d = O(n* s ) rounds, with s bits of security 54

Dot Product Protocols Comparison 55

Private trust computation  Applying dot-product protocols to matrix product k Global Trust T 12 T 13 T 14 ? T 12 T 13 T 14 T 15 T 23 ? T 25 converges T 23 T 24 T 25 ? T 35 T 31 T 35 ? T 45 T 4 3 T 45 T 53 ? T 52 T 53 Applicable to monoids of trust Inputs privacy 56