Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative, Privacy-Preserving Data Aggregation at Scale

Published byAbraham Waters Modified over 6 years ago

Similar presentations

Presentation on theme: "Collaborative, Privacy-Preserving Data Aggregation at Scale"— Presentation transcript:

1 Collaborative, Privacy-Preserving Data Aggregation at Scale
Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg, Matthew Caesar, and Jennifer Rexford

2 Problem: Network Anomaly Detection

3 Collaborative anomaly detection
Some attacks look like normal traffic e.g., SQL-injection, application-level DoS [Srivatsa TWEB ‘08] Is it a DDoS attack or a flash crowd? [Jung WWW ‘02] I’m not sure about Beasty! I’m not sure about Beasty! Google I’m not sure about Beasty! Yahoo! Bing

4 Collaborative anomaly detection
Targets (victims) could correlate attacks/attackers [Katti IMC ’05], [Allman Hotnets ‘06], [Kannan SRUTI ‘06], [Moore INFOC ‘03] “Fool us once, shame on you. Fool us N times, shame on us.” Google Yahoo! Bing

5 Problem: Network Anomaly Detection
Solution: Aggregate suspect IPs from many ISPs Flag those IPs that appear > threshold τ Also known as “heavy hitter” or “iceberg” detection problem.

6 Problem: Distributed Ranking
Solution: Collect domain statistics from many users Aggregate data by domain

7 Problem: … Solution: Aggregate (id, data) from many sources
Analyze data grouped by id

8 What inputs are submitted? Who submitted what?
But what about privacy? What inputs are submitted? Who submitted what?

9 Data Aggregation Problem
Many participants, each with (key, value) observation Goal: Aggregate observations by key Key Values k1 ( va, vb ) k2 ( vi, vj, vk ) kn ( vx ) A A A

10 Data Aggregation Problem
Many participants, each with (key, value) observation Goal: Aggregate observations by key Key Values k1 ( va, vb ) k2 ( vi, vj, vk ) kn ( vx ) F ( A ) F ( A ) F ( A ) PDA: Only release the value column CR-PDA: Plus keys whose values satisfy some func

11 Data Aggregation Problem
Many participants, each with (key, value) observation Goal: Aggregate observations by key Key Values k1 ( 1, 1 ) k2 ( 1, 1, 1 ) kn ( 1 ) ≥ τ ? Σ ≥ τ ? Σ ≥ τ ? Σ PDA: Only release the value column CR-PDA: Plus keys whose values satisfy some func

12 Goals Keyword privacy: No party learns anything about keys
Participant privacy: No party learns who submitted what Efficiency: Scale to many participants, each with many inputs Flexibility: Support variety of computations over values Lack of coordination: No synchrony required, individuals cannot prevent progress All participants need not be online at same time

13 Potential solutions Decentralized Yes Yes Very Poor Yes No
Approach Keyword Privacy Participant Efficiency Flexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection Yes Yes Very Poor Yes No Decentralized Yes Yes Poor No No

14 Security Efficiency Weaken security assumptions?
Assume honest but curious participants? Assume no collusion among malicious participants? In large/open setting, easy to operate multiple nodes (so-called “Sybil attack”)

15 Towards Centralization?
DB Participants

16 Potential solutions Yes Yes Very Poor Yes No Decentralized
Approach Keyword Privacy Participant Efficiency Flexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection Hashing Inputs Network Anonymization Yes Yes Very Poor Yes No Decentralized Yes Yes Poor No No No No Very Good Yes Yes Centralized No Yes Very Good Yes Yes

17 Towards semi-centralization
Proxy DB Assumption: Proxy and DB do not collude Participants

18 Potential solutions Yes Yes Very Poor Yes No Decentralized
Approach Keyword Privacy Participant Efficiency Flexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection Hashing Inputs Network Anonymization This Work Yes Yes Very Poor Yes No Decentralized Yes Yes Poor No No No No Very Good Yes Yes Centralized No Yes Very Good Yes Yes Yes Yes Good Yes Yes

19 Privacy Guarantees Privacy of PDA against malicious entities and participants Malicious participant may collude with either malicious proxy or DB, but not both May violate correctness in almost arbitrary ways Privacy of CR-PDA against honest-but-curious entities and malicious participants

20 PDA Strawman #0 k Participant Proxy DB Client sends input k

21 Violates keyword privacy
PDA Strawman #1 EDB(k) EDB(k) Participant Proxy DB k # 1 9 Client sends encrypted input k Proxy batches and retransmits DB decrypts input ds Violates keyword privacy

22 Still violates keyword privacy: IPs drawn from small domains
PDA Strawman #2 EDB( H (k) ) EDB( H (k) ) Participant Proxy DB H (k) # H( ) 1 H( ) 9 Client sends hashes of k Proxy batches and retransmits DB decrypts input ds Still violates keyword privacy: IPs drawn from small domains

23 5. Proxy recovers k from EPRX(k)
PDA Strawman #3 EDB( Fs (k) ) EDB( Fs (k) ) Secret s Participant Proxy DB Fs (k) # Fs( ) 1 Fs( ) 9 Client sends keyed hashes of k Keyed hash function (PRF) Key s known only by proxy But how do clients learn Fs (IP)) ? 5. Proxy recovers k from EPRX(k)

24 Our Basic PDA Protocol OPRF Client sends keyed hashes of k
Fs (k) EDB( Fs (k) ) EDB( Fs (k) ) OPRF Secret s Participant Proxy DB Fs (k) # Fs( ) 1 Fs( ) 9 Client sends keyed hashes of k Fs(x) learned by client through Oblivious PRF protocol Proxy batches and retransmits keyed hash DB decrypts input

25 Basic CR-PDA Protocol Fs (k) EDB( Fs (k) ) retransmits EDB(EPRX (k))
Secret s EPRX (k) Participant Proxy DB Fs (k) # Enc’d k Fs( ) 1 EPRX( ) Fs( ) 9 EPRX( ) Fs (k) # Fs( ) 1 Fs( ) 9 Client sends keyed hashes of k, and encrypted k for recovery Proxy retransmits keyed hash DB decrypts input Identify rows to release and transmit EPRX (k) to proxy Proxy decrypts k and releases

26 Privacy Properties Fs (k) EDB( Fs (k) ) retransmits EDB(EPRX (k))
Secret s EPRX (k) Participant Proxy DB Keyword privacy: Nothing learned about unreleased keys Participant privacy: Key  Participant not learned Any coalition of HBC participants HBC coalition of proxy and participants HBC database

27 Privacy Properties Fs (k) EDB( Fs (k) ) retransmits EDB(EPRX (k))
Secret s EPRX (k) Participant Proxy DB Keyword privacy: Nothing learned about unreleased keys Participant privacy: Key  Participant not learned Any coalition of HBC participants HBC coalition of proxy and participants HBC database malicious participants HBC coalition of DB and participants

28 More Robust PDA Protocol
Fs (k) EDB( Fs (k) ) EDB(EPRX (k)) retransmits Secret s EPRX (k) Participant Proxy DB ORPF  Encrypted OPRF Protocol Ciphertext re-randomization by proxy Proof by participant that submitted k’s match Any coalition of HBC participants HBC coalition of proxy and participants HBC database malicious participants HBC coalition of DB and participants

29 Encrypted-OPRF protocol
Problem: in basic OPRF protocol, participant learns Fs(k) Encrypted-OPRF protocol: Client learns blinded Fs(k) Client encrypts to DB Proxy can unblind Fs(k) “under the encryption” ( ) r -1 Enc ( ) ( ) r Fs(k) (π si) ki=1 El Gamal g mod p

30 Encrypted-OPRF protocol
Problem: in basic OPRF protocol, participant learns Fs(k) Encrypted-OPRF protocol Client learns blinded Fs(k) Client encrypts to DB Proxy can unblind Fs(k) “under the encryption” OPRF runs OT protocol for each bit of input k OT protocols expensive, so use batch OT protocol [Ishai et al] ( ) r -1 Enc ( ) ( ) r Fs(k)

31 Scalable Protocol Architecture
Participants Proxy Decryption Oracles Client-Facing Proxies Front-End DB Tier Back-End DB Storage Share secret s Share DB key Partition Fs keyspace Share PRX key

32 Evaluation Scalable architecture implemented
Basic CR-PDA / PDA protocol + and encrypted-OPRF protocol w/ Batch OT ~5000 lines of threaded C++, GnuPG for crypto Testbed of 2 GHz Linux machines Algorithm Parameter Value RSA / ElGamal key size 1024 bits Oblivious Transfer k 80 AES 256 bits

33 Throughput vs. participant batch size
Single CPU core for DB and proxy each

34 Maximum throughput per server
Four CPU cores for DB and proxy (each)

35 Throughput scalability
Number CPU cores per DB and proxy (each)

36 Summary Privacy-Preserving Data Aggregation protects:
Participants: Do not reveal who submitted what Keywords: Only reveal values / released keys Novel composition of crypto primitives Based on assumption that 2+ known parties don’t collude Efficient implementation of architecture Scales linearly with computing resources Ex: Millions of suspected IPs in hours Of independent interest… Introduced encrypted OPRF protocol First implementation/validation of Batch OT protocol

Download ppt "Collaborative, Privacy-Preserving Data Aggregation at Scale"

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Efficient Private Techniques for Verifying Social Proximity Michael J. Freedman and Antonio Nicolosi Discussion by: A. Ziad Hatahet.

Efficient Private Techniques for Verifying Social Proximity Michael J. Freedman and Antonio Nicolosi Discussion by: A. Ziad Hatahet.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
An architecture for Privacy Preserving Mining of Client Information Jaideep Vaidya Purdue University This is joint work with Murat.

An architecture for Privacy Preserving Mining of Client Information Jaideep Vaidya Purdue University This is joint work with Murat.

Similar presentations

Ads by Google