1

Cryptography: on the Hope for Privacy in a Digital World

Omer ReingoldVVeizmann and Harvard CRCS

2

So, is there Hope for Privacy?

• No! Privacy is doomed! Enjoy your sandwiches …

: Is this what we invited you for?

• On second thought, the digital world gives new hope for privacy!– Selling digital goods (w/ Bill Aiello

and Yuval Ishai) – Keyword database search (w/ Mike Freedman,

Yuval Ishai, and Benny Pinkas)

3

Day to Day Breaches of Privacy

• When/how can it be better?

4

Anonymity?

Alice

BobAnd Betty, when you call me,you can call me Al!

I can call you Betty,

Call me Al ......

Not in this Talk!

5

Selling Digital Goods

• How good are digital goods?– Entertainment: TV, music, video, books, software– Business: news, stock quotes, patents, layoff

rumors– Research: papers, research databases, clip-art

• What’s special about digital goods?– Typically of unlimited supply (easy to duplicate).– Easy to communicate and manipulate

• Main goal: protect the privacy of clients– What – When– How much– (But not who)

6

Example

Vendor

Buyer

‘ ’,

Key of

Encrypted Individually

7

Oblivious Transfer (OT) [R], 1-out-of-N [EGL]:

– Input:• Vendor: x1,x2,…,xn

• Buyer: 1 ≤ j ≤ n

– Output:• Vendor: nothing• Buyer: xj

– Privacy:• Vendor: learns nothing about j• Buyer: learns nothing about xi for i ≠ j

• 4

– Not necessarily two messages

– Related notions: Private Information Retrievable [CGKS] / Symmetrically- Private Information Retrievable [GIKM]

X1 …X2 X3 X4 Xn

Xj

j

8

Priced OT [AIR]

Vendor

BuyerInitial payment $ b0

Set b=b0

Vendor

Buyer

Prices: p1, p2 , …

pnItems: k1, k2, …

kni

ki b← b - pi

k0, p0=0,

9

Comparison with E-cash [Cha85,CFN88,...]

E-cash Priced OTPayment digital anyGoods any digitalHides who what +Access to goods anonymous any

Buyer Vendor

10

General Perspective

• Priced OT is an instance of secure two-party computation.

• Theoretical plausibility result are known [Yao,GMW].

• However: General solutions are costly (computation, bandwidth, rounds).

• A major endeavor in cryptography: Identifying interesting specific problems and suggesting more efficient solutions.

11

Tool: Homomorphic Encryption

Plaintexts from (G,+)

• E(a),E(b) E(a+b) E(a),c E(c·a)

• |G| large prime

• Can use either additive G=ZP or multiplicative GZ*

P

• In particular, can use El-Gamal.

12

Conditional Disclosure of Secrets [GIKM,AIR]

Buyer

• Honest Buyer: V(q) = True • How to protect against a malicious Buyer?

– Method 1: Buyer proves in ZK that V(q) = True;– Method 2: Vendor disclose a subject to the

condition V(q) = True.

• Notation: CDS( a ; V(q) )

E(q),pk

E(a)

Vendor (sk,pk) E(CDS( a ; V(q) )) a

13

Conditional Disclosure of Secrets - Implementation

Buyer

a,q,i G CDS(a ; q=i) : a+r(q-i) r R{1,…,|G|}

E is homomorphic - E(CDS( a ; V(q) )) can be computed from E(q)

• Information-theoretic security for Vendor (hides a).

• Need to verify “validity” of pk; Easy for El-Gamal!

E(q),pk

(sk,pk) E(CDS( a ; V(q) ))

Vendor a

14

Application: 1-Round OT* [AIR,NP]

(sk,pk)E(q),pk Vendo

rBuyer

x1 x2 xnq

E(CDS(x1 ; q =1)), … , E(CDS(xn ; q =n))

* Weakened / incomparable notion of security vs. simulation:• Vendor’s security: purely information-theoretic• Buyer’s security: privacy only.

15

Database Search

• OT/PIR/SPIR allow to privately retrieve the ith entry of a database. Efficiency depends linearly (at least) on the size of the database.

• Sometime this is not enough. For example, consider a list of fraudulent card numbers. A merchant wants to check if a particular number is in the least.

• Use OT/PIR?– Table of 1016 ≈ 253 entries, 1 if fraudulent, 0

otherwise?• Works on supporting more general database search.

16

Keyword Search (KS): definition

• Input:– Server: database X={ (xi,pi ) } , 1 ≤ i ≤ N

• xi is a keyword (e.g. number of a corrupt card)

• pi is the payload (e.g. why card is corrupt)

– Client: search word w (e.g. credit card number)

• Output:– Server: nothing– Client:

• pi if i : xi = w

• otherwise nothing

Client output: (xj ,pj ) iff w=xj

…(x1,p1) (xn,pn )(x2,p2)Server:

Client: w

17

Conclusions

•Our expectation of privacy in the “digital world” should not be bounded to our “physical world” experiences.

•The ability to duplicate, manipulate and communicate digital information is key.

•Very powerful cryptographic tool in the form of secure function evaluation.

•Research on efficient instantiations, possibly with some security relaxations.