Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

Slides:



Advertisements
Similar presentations
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Advertisements

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Tutorial on Secure Multi-Party Computation
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
CS573 Data Privacy and Security
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
On the work of Shafi Goldwasser and Silvio Micali By Oded Goldreich WIS, Dec 2013.
6.897: Advanced Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest.
Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.
IPAM ’06 Tutorial Security and Composition of Cryptographic Protocols Ran Canetti IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes?
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Privacy-Preserving Data Aggregation without Secure Channel: Multivariate Polynomial Evaluation Taeho Jung 1, XuFei Mao 2, Xiang-Yang Li 1, Shao-Jie Tang.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei,
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
6.897: Selected Topics in Cryptography Lectures 7 and 8
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
MPC and Verifiable Computation on Committed Data
Course Business I am traveling April 25-May 3rd
Verifiable Oblivious Storage
Cryptography for Quantum Computers
Presentation transcript:

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research

Privacy-sensitive interactions The basic problem: Parties want to perform some joint computation while preserving privacy of local data. Examples: Elections Obtaining statistical data on private records, e.g.: –Medical records –Shopping patterns and preferences –Whereabouts and travel patterns of individuals Pooling information from different sources

A general approach for solution: 1.Formalize the required functionality in terms of a “centralized trusted service”. 2.Run a cryptographic protocol that realizes the “centralized trusted service” functionality. –Can use a generic construction (typically inefficient) –Can design more efficient protocols for a given trusted-service.

The “trusted service” solution Assume all parties have “ideally secure channels” to an incorruptible trusted party. The trusted party processes inputs coming from the parties and provides the desired outputs. Note: Trusted party can be reactive: Can get inputs and generate outputs throughout the computation.

Example: Elections Tasks of trusted party: Receives votes, verifies credentials Publicizes tallies, required statistics Revokes privacy of misbehaving individuals …

Example: Medical records Tasks of trusted party: Obtains full records from individuals and doctors Provides full information on records with authorization by individual Provides statistical information on records (possibly limited/perturbed) Allows pooling some information with other depositories …

Challenges (I): Specification design (write the trusted party code): Exactly what is revealed and when? What aggregates are “ok”, what perturbations When to revoke identity, how much to revoke How to resolve disputes … That’s the “non-cryptographic” part. Often hardest… (But can assume a trusted party!)

Challenges (II): Efficiency of the cryptographic solution: –Communication patterns: Are third parties involved? Which parties need to be on-line? –Communication complexity: rounds, bandwidth, etc. –Computational complexity Security of the solution: – Based on what assumptions? –What security properties are guaranteed?

Stand-Alone Security Security is interpreted as “emulating the trusted service solution” [GMW87]: “Whatever damage that can be done to the protocol could have been done to the trusted party solution”. However: The “classic” formalizations of this intuitive notion (e.g. [GL90,MR91,B91,C95,C00]) guarantee security only when a single protocol execution takes place at any time. In contrast, in today’s networks: –Multiple copies of a protocol may be running concurrently –A protocol is run concurrently with other protocols –Parties may be unaware of other executions, protocols, parties. Stand-alone security does not suffice!

Example: Concurrent Zero-Knowledge [F90,DNS98] –Original notion of ZK [GMR85] does not guarantee security when the prover interacts with many verifiers concurrently. –Best known solution: O(log n) rounds [RK99,PRS02] –Lower bound of (log n) rounds (for black-box simulation) [CKPR01] P V VV V …

Example: Malleability of commitments [DDN91] Stand-alone notions do not guarantee “independence” among committed values.

Example: Malleability of commitments [DDN91] Stand-alone notions do not guarantee “independence” among committed values. Commit:P1 P2 A C C’

Example: Malleability of commitments [DDN91] Stand-alone notions do not guarantee “independence” among committed values. Commit:P1 P2 A C C’ Open: P1 P2 A v v+1

How to guarantee security in complex protocol environments? Traditional approach: keep writing more sophisticated definitions, that capture more scenarios… –Ever more complex –No guarantee that “we got it all”. –No general view An alternative approach: –Prove security of a protocol as stand-alone (single execution, no other parties). –Use a general secure composition theorem to deduce security in arbitrary execution environments.

Universally Composable Security [C01] Provides a framework where: 1.Can capture the security requirements of practically any cryptographic task. 2.Can prove a general, “universal composition” theorem that: Guarantees security in arbitrary multi-protocol, multi-execution environments. Enables modular design and analysis of protocols.

The composition operation (Originates with [MR91]) Start with: Protocol F that uses ideal calls to a “trusted party” F Protocol that “emulates” F Construct the composed protocol : Each call to F is replaced with an invocation of. Each value returned from is treated as coming from F. Note: In F parties may call many copies of F.  In many copies of run concurrently.

The composition operation (single call to F) F 

F 

The composition operation (multiple calls to F) F  F F

The universal composition (UC) theorem: Protocol “emulates” protocol F. (That is, for any adversary A there exists an adversary A` such that no Z can tell whether it is interacting with (, A) or with ( F,A`).) Corollary: If F securely realizes functionality G then so does.

Implications of the UC theorem 1.Can design and analyze protocols in a modular way: –Partition a given task T to simpler sub-tasks T 1 …T k –Construct protocols for realizing T 1 …T k. –Construct a protocol for T assuming ideal access to T 1 …T k. –Use the composition theorem to obtain a protocol for T from scratch. (Analogous to subroutine composition for correctness of programs, but with an added security guarantee.)

Implications of the UC theorem 2.Assume protocol “emulates” a trusted service F. Can deduce security of in any multi-execution environment: As far as the “rest of the network” is concerned, interacting with (multiple copies of) is equivalent to interacting with (multiple copies of) F.

Questions: do Are known protocols UC-secure? (Do these protocols “emulate” the trusted services associated with the corresponding tasks?) How to design UC-secure protocols? zcyk02]

Existence results: Honest majority Thm: Can realize any trusted service in a UC way. (e.g. use the protocols of [BGW88, RB89,CFGN96] ). Usages: –All parties actively participate in computation –Use a set of servers to realize the trusted service (secure as long as only a minority is corrupted).

What if there is no honest majority? (e.g., two-party protocols) Known protocols (e.g., [Y86,GMW87] ) do not work. (“black-box simulation with rewinding” cannot be used). Many interesting functionalities (commitment, ZK, coin tossing, etc.) cannot be realized in plain model. In the “common random string model” can do: –UC Commitment, UC Zero-Knowledge [CF01, DDOPS01,CLOS02, DN02, DG03] –Emulate any trusted service [CLOS02]

The [GMW87] paradigm: 1) Construct a protocol secure against semi-honest adversaries (who follow the protocol specification): -Represent the “trusted party code” as a Boolean circuit (state represented as “feedback lines”) -Each party shares its input among all others (using a simple sum scheme) -The parties evaluate the circuit gate by gate. Each gate evaluation needs 1-out-of-4 oblivious transfer between any pair of parties. -Output lines are revealed to the corresponding parties. Shares of “feedback lines” kept. -Works even in the UC model.

The [GMW87] paradigm: 1) F 2) Construct a compiler that transforms protocols secure in the semi-honest model to protocols secure against malicious adversaries.

[GMW87] Protocol Compilation Aim: force the malicious parties to follow the protocol specification. How? –Parties commit to inputs –Parties commit to uniform random tapes (use secure coin-tossing to ensure uniformity) –Parties use zero-knowledge protocols to prove that every message sent is according to the protocol (and consistent with the committed input and random-tape).

Constructing a UC “[ GMW87] compiler” Problem: In [GMW87], both commitment and ZK are not UC. First attempt: Replace commitment and ZK with UC counterparts.

Constructing a UC “[ GMW87] compiler” Problem: In [GMW87], both commitment and ZK are not UC. First attempt: Replace commitment and ZK with UC counterparts. –Doesn’t work… (cannot make ZK proofs on “ideal commitments”)

The “Commit-and-Prove” primitive Define a single primitive where parties can: –Commit to values –Prove “in ZK” statements regarding the committed values Can realize “C&P” in the CRS model (using UC commitment and UC ZK). Given access to ideal “C&P”, can do the [GMW87] compiler without computational assumptions.

To sum up: Can “emulate” any trusted service in a universally composable way, with any number of faults. Main problem: Solution is typically very inefficient (to the point of being unrealistic)…

Application to privacy Any privacy problem that has a “trusted service” solution is solvable in principle. Challenges: –Good specification of the “trusted privacy service.” –More realistic protocols.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.