An Efficient and Secure Protocol for Privacy Preserving Set ...
Transcript of An Efficient and Secure Protocol for Privacy Preserving Set ...
![Page 1: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/1.jpg)
JAIST COE Symposium 2007 – 1 / 23
An Efficient and Secure Protocol for Privacy
Preserving Set Intersection
PhD Candidate: Yingpeng SangAdvisor : Associate Professor Yasuo Tan
School of Information Science
Japan Advanced Institute of Science and Technology
![Page 2: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/2.jpg)
Overview
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture Work
JAIST COE Symposium 2007 – 2 / 23
Problem Background
Privacy Preserving Set Intersection among Multiple Partie s
Conclusions and Future Work
![Page 3: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/3.jpg)
Problem Background
Problem Background
Privacy PreservingComputations
Two Models ofAdversarial Parties
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture Work
JAIST COE Symposium 2007 – 3 / 23
![Page 4: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/4.jpg)
Privacy Preserving Computations
Problem Background
Privacy PreservingComputations
Two Models ofAdversarial Parties
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture Work
JAIST COE Symposium 2007 – 4 / 23
■ Inputs:(x1, x2, ..., xN ) held by distributed parties (P1, P2, ..., PN )respectively.
■ Outputs:some function f(x1, x2, ..., xN ), e.g., intersection, maximum,minimum, etc.
■ Privacy Requirement:Pi(i = 1, ..., N) knows nothing about xi′ (i′ 6= i), except theinformation I(xi, f).
■ Difficulties:
— Some parties may have adversarial behaviors;— There may be no party that can be trusted by all the other
parties.
![Page 5: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/5.jpg)
Two Models of Adversarial Parties
Problem Background
Privacy PreservingComputations
Two Models ofAdversarial Parties
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture Work
JAIST COE Symposium 2007 – 5 / 23
■ Assumption: only one adversary, who controls arbitrarynumber of parties.
■ Semi-honest Model : the adversary follows the protocolproperly, but may analyze its intermediate computations.
■ Malicious Model : the adversary arbitrarily deviates from theprotocol, i.e.,
— refusing to participate in the protocol when the protocol isfirst invoked;
— arbitrarily substituting its original local input and entering theprotocol with an input other than the one provided to them;
— aborting the protocol whenever obtaining the desired result.
![Page 6: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/6.jpg)
Privacy Preserving Set
Intersection among
Multiple Parties
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 6 / 23
![Page 7: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/7.jpg)
One Application
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 7 / 23
■ Government : A = {No − flight Name List}■ Airline Company : B = {Customer Name List}■ Preventing Terrorism :
— A ∩ B
— Government’s Privacy: A 9 Air Flight Company— Company’s Privacy: B 9 Government
![Page 8: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/8.jpg)
Problem Definition
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 8 / 23
Privacy Preserving Set Intersection (PPSI): For Semi-honestModel
■ Inputs : N (N ≥ 2) parties.Each party Pi (i = 1, ..., N) has a set (or multiset) Ti:Ti = {T (i, j)|j = 1, ..., S}.
■ Outputs : Each party Pi learns TI = T1 ∩ ... ∩ TN ,without knowing the elements in Ti′ (i′ 6= i) except TI .
■ Π is a secure PPSI protocol in the semi-honest model, if
{S(I, (Ti1 , ..., Tic), fI(T ))} ≡c {V IEWΠ
I (T )}
in which,
— S: a PPT algorithm;— I = {i1, ..., ic}: the index set of adversarial parties;— f: the intersection function;— V IEWΠ
I (T ): the view of adversarial parties during Π;
![Page 9: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/9.jpg)
Problem Definition (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 9 / 23
PPSI: For Malicious Model
■ Inputs : N (N ≥ 2) parties.Pi (i = 1, ..., N) has a set (or multiset) Ti.
■ Outputs : Each party Pi learns TI = T1 ∩ ... ∩ TN ,without knowing the elements in Ti′ (i′ 6= i) except TI .
■ Π is a secure PPSI protocol in the malicious model, if
{IDEALf,I,B(T )} ≡c {REALΠ,I,A(T )}.
in which,
— A: PPT algorithm of the adversary in Π;— B: PPT algorithm of the adversary in the ideal model, where there is an
available trusted party;— REALΠ,I,A(T ): Output of A in Π;— IDEALf,I,B(T ): Output of B in the ideal execution.
![Page 10: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/10.jpg)
Related Work
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 10 / 23
1) L. Kissner and D. Song, “Privacy-Preserving Set Operations”, inAdvances in Cryptology - CRYPTO 2005.
— fi = (x − T (i, 1)) · · · (x − T (i, S)),
F =∑N
i=1 fi ∗∑N
k=1 ri,k.
— Security: semi-honest and malicious models.
2) M. Freedman, K. Nissim and B. Pinkas, “Efficient PrivateMatching and Set Intersection”, in Proc. of Eurocrypt ’04.
— PN evaluates its elements T (N, j) on fi (i = 1, ..., N − 1).
— Security: semi-honest model
■ Our aims: less costs while keeping the same security.
![Page 11: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/11.jpg)
Basic Tools
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 11 / 23
■ Threshold version of additive homomorphic encryption: Paillier’sscheme.
■ Calculations on encrypted polynomials:
— For f(x) =∑m
i=0 aixi, E(f(x)) = {E(ai)|i = 0, ...,m};
— The evaluation E(f(x)) for x = v;— The scalar product E(cf(x)), given c;— The sum E(f(x) + g(x)), given E(f(x)) and E(g(x));— The polynomials multiplication E(f(x) ∗ g(x)), given f(x)
and E(g(x)).
![Page 12: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/12.jpg)
PPSI Protocol 1 for the Semi-honest Model
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 12 / 23
1) Constructing the Polynomial Vector F
1.1) Pi computes fi = (x − T (i, 1)) · · · (x − T (i, S)) mod N torepresent its set Ti.
1.2) Pi computes E(fi ∗∑N
j=1 ri,j), in which ri,j is generated byPj , ri,j = ai,jx + bi,j , ai,j, bi,j ∈R ZN .
1.3) The N parties get:
E(F ) = ( E(f1 ∗N∑
j=1
r1,j), ..., E(fN ∗N∑
j=1
rN,j) )
![Page 13: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/13.jpg)
PPSI Protocol 1 for the Semi-honest Model (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 13 / 23
2) Multiplication with Nonsingular Matrices
2.1) Pi generates a random and nonsingular matrix Ri;2.2) Pi computes E(FR1 · · · Ri);2.3) The N parties get E(G) = E(FR1 · · · RN) = E(FR) and
decrypt it:
g1 = f1 ∗N∑
j=1
r1,jR11 + ... + fN ∗N∑
j=1
rN,jRN1
...
gN = f1 ∗N∑
j=1
r1,jR1N + ... + fN ∗N∑
j=1
rN,jRNN
in which Ruv is the (u, v) entry of R (1 ≤ u, v ≤ N).
2.4) Pi evaluates (g1, ..., gN) at the element T (i, j).
![Page 14: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/14.jpg)
PPSI Protocol 1 for the Semi-honest Model (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 14 / 23
■ Correctness Lemma :If for k = 1, ..., N , gk(T (i, j)) = 0, then T (i, j) ∈ TI with anoverwhelming probability (> 1 − 1
280 ).
— Proof Sketch:
▲ R is nonsingular,▲ If G(T (i, j)) = F (T (i, j)) · R = (0, 0, ..., 0),
then F (T (i, j)) = (0, 0, ..., 0).
![Page 15: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/15.jpg)
PPSI Protocol 1 for the Semi-honest Model (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 15 / 23
■ Security :
— Semi-honest attacks: analyze the coefficients in G, andinfer the roots of fi′ from Pi′ (i′ ∈ I ′, I ′ is the index set ofhonest parties).
Lemma 1 In PPSI Protocol, any Pi in the coalition of
c (1 ≤ c ≤ N − 1) semi-honest parties (PI ) can know no more
elements than TI in any Ti′ for ∀i′ ∈ I ′.
Theorem 1 Protocol 1 is a secure protocol Π, which privately solves
the PPSI problem with respect to the semi-honest behaviors of
arbitrary number of parties.
![Page 16: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/16.jpg)
PPSI Protocol 2 for the Malicious Model
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 16 / 23
Main Ideas
■ We assume the adversary controls arbitrary number of parties.■ Protocol 2 for the malicious model is based on Protocol 1 for the
semi-honest model.■ Blocks are added to prevent malicious behaviors:
Attack 1) : sending to others an arbitrarily encryptedpolynomial without knowing its coefficients.Solution: Pi should prove that:
1.1) knowing the plaintexts of E(f), PK{f : E(f)}.1.2) correct polynomials multiplication,
PK{r : M = E(f ∗ r)∧
E(f)∧
E(r)}
![Page 17: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/17.jpg)
PPSI Protocol 2 for the Malicious Model (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 17 / 23
Attack 2) : encrypting a polynomial whose coefficients are allzeros.Solution: The honest parties can reset the leading coefficient ofpolynomials received from others to be E(1).Attack 3) : generating a singular matrix Ri, then the protocolwon’t be correct.Solution: Pi should prove that Ri it generates is nonsingular:PK{Ri : D = E(det(Ri))
∧D 6= E(0)
∧R = E(Ri)}.
det(Ri) is the determinant of Ri.
![Page 18: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/18.jpg)
PPSI Protocol 2 for the Malicious Model (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 18 / 23
Attack 4) : doing multiplication with a matrix R′i other than the
committed matrix Ri.Solution: Each party should prove that he does correct matrix
multiplication with the matrix Ri it has committed:
PK{R : G = E(FR)∧
F = E(F )∧
R = E(R)}.F = (f1, ..., fN ), R is an N × N matrix, and E(R) are the encryptedentries of R.
![Page 19: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/19.jpg)
Comparisons with Previous Results
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 19 / 23
Table 1: Comparisons of solutions for PPSI in the semi-honest modelComputation Cost Communication Cost Security Model
Ours 2(c(S + 2)(N − 1) − 2)lgN+c(S + 2)(N + 3) 2cN(4S + 5)lgN Semi-honest
Kissner’s 2(c(S + 1)2 + 5S + 3)lgN
+c(S2 + 4S + 2) 2cN(5S + 2)lgN Semi-honest
Freedman’s ((S + 1)(S + 2) + 3S(N − 1) − 1)2lgN
+S(S + 1) 10S(N − 1)2lgN Semi-honest
A quantitative analysis:
■ S = 20, N = 5, c = 3, lgN = 1024.■ Our protocol saves about 81% and 63% computation costs,
17% and 20% communication costs in comparison withKissner’s and Freedman’s solutions.
![Page 20: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/20.jpg)
Comparisons with Previous Results (contd.)
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
One Application
Problem Definition
Related Work
Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results
Conclusions andFuture Work
JAIST COE Symposium 2007 – 20 / 23
Table 2: Comparisons of solutions for PPSI in the malicious modelComputation Cost Communication Cost Security Model
Ours O(cSNlgN ) O(cSNlgN ) Malicious
Kissner’s O(cS2lgN ) O(cSNlgN ) Malicious
In practical applications:
■ S (the size of a set ) ≫ N (the number of parties );■ Our Protocol can be faster than Kissner’s solution.
![Page 21: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/21.jpg)
Conclusions and Future
Work
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture WorkConclusions andFuture Work
JAIST COE Symposium 2007 – 21 / 23
![Page 22: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/22.jpg)
Conclusions and Future Work
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture WorkConclusions andFuture Work
JAIST COE Symposium 2007 – 22 / 23
We propose:
■ PPSI protocols in the semi-honest and malicious models whichcost less computation time and bandwidth in practicalapplications than previous results.
Future Work:
■ Doing comparisons between data disguising techniques andcryptographic techniques.
■ Proposing secure and efficient solutions for some basiccomputation problems.
■ Proposing secure solutions for some large-scale data miningtasks.
![Page 23: An Efficient and Secure Protocol for Privacy Preserving Set ...](https://reader030.fdocuments.net/reader030/viewer/2022012413/616d965a6eedf96f9853bc79/html5/thumbnails/23.jpg)
The End
Problem Background
Privacy Preserving SetIntersection amongMultiple Parties
Conclusions andFuture WorkConclusions andFuture Work
JAIST COE Symposium 2007 – 23 / 23
Thank You Very Much!