Presentation is loading. Please wait.

Presentation is loading. Please wait.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

Published byAntony Brooks Modified over 9 years ago

Similar presentations

Presentation on theme: "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."— Presentation transcript:

1 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SHADE: Secure HAmming DistancE computation from oblivious transfer Julien Bringer, Hervé Chabanne, Alain Patey Workshop on Applied Homomorphic Cryptography (WAHC’13) - Apr. 1 st, 2013 Work partially funded by the ANR SecuLar project and by the European FP7 FIDELITY project

2 1 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. OUTLINE  Motivations  Secure Biometric Recognition  Secure Computation of Hamming distances: previous proposals  Homomorphic Encryption  Garbled Circuits  SHADE  The basic scheme  The fully-secure scheme Alain Patey / 01/04/2013 / WAHC'13

3 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 2 / Motivations Alain Patey / 01/04/2013 / WAHC'13

4 3 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. BIOMETRIC MATCHING  Biometrics: Images are encoded into feature vectors  Biometric matching: computation of a similarity measure between two vectors  Hamming Distance  Euclidean Distance  Scalar Product  … Alain Patey / 01/04/2013 / WAHC'13

5 4 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. EXAMPLE: IRIS  Iriscodes: 256-byte code + 256-byte mask  Mask indicates (in)exploitable data: eyelids, eyelashes, blurred pixels…  Similarity measure between (X 1,M 1 ) and (X 2,M 2 ): normalized Hamming distance  HD(X 1,X 2 ) = |(X 1 X 2 ) ∩M 1 ∩ M 2 | / |M 1 ∩ M 2 | John Daugman: How iris recognition works. IEEE Trans. Circuits Syst. Video Techn. (TCSV) 14(1):21-30 (2004) Alain Patey / 01/04/2013 / WAHC'13

6 5 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. EXAMPLE: FINGERPRINT  Binary feature vector fingerprint representation: ~50,000 bit-vectors  Bits indicate presence/absence of given patterns  Similarity measure: usual Hamming distance Bringer, J. and Despiegel, V., Binary feature vector Fingerprint representation from minutiae vicinities, BTAS'10. (2010). Alain Patey / 01/04/2013 / WAHC'13

7 6 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. EXAMPLE: FACE  Face: SciFI project  Approach similar to the approach of previous slide  900-bit vectors  (constant 180-bit weight)  Similarity measure = usual Hamming distance Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich: SCiFI - A System for Secure Face Identification. IEEE Symposium on Security and Privacy 2010:239-254 Alain Patey / 01/04/2013 / WAHC'13

8 7 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. MOTIVATIONS FOR SECURE BIOMETRIC MATCHING  Biometric data are  extremely sensitive  hard to revoke  But very useful for personal recognition  Need for protection and usability at the same time  ⇒ Secure computation  Applications  1 vs N identification  Intersection of biometric databases  Deduplication  Anonymous access control …… Alain Patey / 01/04/2013 / WAHC'13

9 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 8 / Secure Hamming Distance Computation: Previous proposals Alain Patey / 01/04/2013 / WAHC'13

10 9 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SETTING  Output learned either by C, S or both  Privacy: One party does not learn information about the other party’s input (except the result) Alain Patey / 01/04/2013 / WAHC'13 Serve r Client 100110011101 11001001010 1 Binary string X=(x 1,…,x n ) Binary string Y=(y 1,…,y n ) Secure Computation Output: dH(X,Y) =Σ(xiyi)

11 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 10 / Homomorphic Encryption Alain Patey / 01/04/2013 / WAHC'13

12 11 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. XOR-LY/ADDITIVELY HOMOMORPHIC ENCRYPTION  E = homomorphic cryptosystem  Goal: compute E(XY) (or E(dH(X,Y))) from E(X) and Y (or E(X) and E(Y))  where X and Y are strings  No efficient homomorphic cryptosystem to do this straightforward  Goldwasser-Micali: XOR over bits  Paillier: addition over integers  Use of additively homomorphic encryption (Paillier and extensions)  E(X).E(Y)=E(X+Y)  E(X) Y = E(X.Y) Alain Patey / 01/04/2013 / WAHC'13

13 12 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURE HAMMING DISTANCE USING HOMOMORPHIC ENCRYPTION Alain Patey / 01/04/2013 / WAHC'13 Client Serve r Input: X=(x 1,…,x n ), sk, pk Input: Y=(y 1,…,y n ), pk E(x1),…,E(xn) For i=1..n, E(xiyi)=E(xi) 1-2yi.E(yi) E(dH(X,Y)) Decryption using sk Output: dH(X,Y) Data encryptio n Result decryptio n Computation over encrypted data E(dH(X,Y))=E(Σ(xiyi)) =Π E(xiyi) Recall: x,y ∈ {0,1} x ⊕ y = x + y – 2x.y

14 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 13 / Yao’s Protocol Alain Patey / 01/04/2013 / WAHC'13

15 14 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 1-OUT-OF-2 OBLIVIOUS TRANSFER Alain Patey / 01/04/2013 / WAHC'13 Sender Receiv er Inputs: - strings X 0 and X 1 Input - bit b Output: - X b Output: ∅ Sender does not learn b Receiver learns nothing about X 1-b

16 15 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. GARBLED CIRCUITS  Garbled circuits: “Encrypted” binary circuits  Random keys are associated with wires (one pair per wire)  Gates are encrypted using these keys  S creates the garbled circuit:  picks random keys and encrypts tables  C evaluates the garbled circuit  Decrypts the garbled tables using one key per input wire  Keys corresponding to S’s inputs are directly sent to C  Keys corresponding to C’s inputs are sent using OT 1 2 ’s Alain Patey / 01/04/2013 / WAHC'13

17 16 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. YAO’S PROTOCOL Alain Patey / 01/04/2013 / WAHC'13 Party 1 Party 2 Creates the Garbled Circuit Garbled Circuit, labels of P1’s inputs Labels of P2’s inputs using 1-out-of-2 OT’s Evaluates the Garbled Circuit Obtains f(X,Y) (Optional) f(X,Y)

18 17 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. IMPLEMENTATION OF YAO’S PROTOCOL  Garbling can be implemented using symmetric cryptography  Optimizations:  free XOR gates  25% gate reduction  OT 1 2 ’s can also be implemented using symmetric cryptography  After some preprocessing involving public-key cryptography  Implementations are available  Fairplay, TASTY, Secure Computation Framework… Alain Patey / 01/04/2013 / WAHC'13

19 18 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SUMMARY  Additively homomorphic encryption  Bits are encrypted separately (ciphertexts are at least 2048-bit long)  Homomorphic operations are costly  Ciphertexts can be re-used (for another instance of the protocol or another functionality)  Yao’s protocol  Mostly symmetric cryptography  Garbled circuits not reusable  Use of Yao’s protocol for secure Hamming distance computation gives better performances than homomorphic encryption  Yan Huang, David Evans, Jonathan Katz, Lior Malka: Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security Symposium 2011 Alain Patey / 01/04/2013 / WAHC'13

20 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 19 / SHADE Alain Patey / 01/04/2013 / WAHC'13

21 20 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. TOWARDS SHADE  Garbled Circuits are big, even for the simple Hamming distance circuit  eg >120 KB bandwidth required for 2048-bit Hamming distance  When using Yao’s protocol, sender’s inputs to the OT’s are independent of the actual inputs X and Y  Ideas:  Get rid of garbled circuits  Adapt the inputs of the OT’s such that 1.they are linked to the sender’s bit-string 2.the output of the i th OT is linked to xiyi  Input of the server: (r i + x i, r i +(1-x i ))  Input of the client: y i  Output of the client: r i + x i y i Alain Patey / 01/04/2013 / WAHC'13

22 21 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. PROTOCOL Alain Patey / 01/04/2013 / WAHC'13 Server: X = (x 1,…,x n )Client: Y = (y 1,…,y n ) OT 1 2 Input: (r i +x i, r i +(x i 1))Input: y i Output: ∅ Output: t i =r i +(x i y i ) Compute R=Σ r i Compute T=Σt i (=R+HD(X,Y)) For i=1,…,n: R T Output T-R = HD(X,Y) 1st option 2nd option Oblivious Transfer Select random r 1,…,r n

23 22 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. REMARKS  Overall cost: n OT’s  Privacy ensured in the semi-honest model  Extension to several dH(X,Y j ) at the same time  Biometric 1 vs N - identification  Applicable to any function of the form:  F(X,Y) = ∑λ i f i (x i,y i )  F(X,Y) = ∏f(x i,y i ) Alain Patey / 01/04/2013 / WAHC'13

24 23 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. COMPARISON TO PREVIOUS SOLUTIONS  After preprocessing, including optimizations Alain Patey / 01/04/2013 / WAHC'13 HE Yao SHADE

25 24 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. COMPUTATION TIME  Comparison to Yao’s protocol  For 900 bits:  HE: ~310 ms  Yao: ~20 ms  SHADE: ~8 ms Alain Patey / 01/04/2013 / WAHC'13

26 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 25 / The fully-secure scheme (security against malicious adversaries) SHADE Alain Patey / 01/04/2013 / WAHC'13

27 26 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. COMMITTED OBLIVIOUS TRANSFER Alain Patey / 01/04/2013 / WAHC'13 Sender Receiv er Inputs: - strings X 0 and X 1 - random values r 0,r 1 Inputs: - bit b - random value r Common Inputs: Com(X 0,r 0 ); Com(X 1,r 1 ); Com(b,r) Output: - X b - random value u Common Output: Com(X b,u) Kiraz, M.S., Schoenmakers, B., Villegas, J.: Efficient committed oblivious transfer of bit strings. In: ISC. (2007) Output: ∅

28 27 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. HOMOMORPHIC COMMITMENT  Additively homomorphic commitment:  Com(x 1, r 1 ). Com(x 2,r 2 ) = Com(x 1 +x 2, r 1 +r 2 )  Zero-knowledge proofs:  Proof that a commitment c commits to either x 1 or x 2  Here: proof that committed value is a bit (0 or 1)  Proof that two committed values differ by 1  Instantiation using Paillier or ElGamal cryptosystem Alain Patey / 01/04/2013 / WAHC'13

29 28 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FULLY SECURE SCHEME – 1 ST STEP: COMMITMENT AND PROOFS OF CONSISTENCY Alain Patey / 01/04/2013 / WAHC'13 Server: X = (x 1,…,x n )Client: Y = (y 1,…,y n ) Pick random values χ 1,…,χ n Compute and publish Com(y i,χ i ), i=1…n Prove that committed values are bits Pick random values α 1,…,α n,β 1,…,β n,r 1,…,r n Compute and publish, for i=1…n A i =Com(ri+xi, α i ) B i =Com(r i + (1-x i ),β i ) Prove that committed values differ by 1 Common: - A i =Com(a,α i ) -B i =Com(b i,β i ) -Com(y i,χ i ) Server: - x i -r i ; a i =r i +x i ; b i = r i + (1-x i ) -α i ; β i Client: - y i - χ i

30 29 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FULLY SECURE SCHEME – 2 ND STEP: COMMITTED OBLIVIOUS TRANSFERS Alain Patey / 01/04/2013 / WAHC'13 Common: - A i =Com(a,α i ) -B i =Com(b i,β i ) -Com(y i,χ i ) Server: - x i -r i ; a i =r i +x i ; b i = r i + (1-x i ) -α i ; β i Client: - y i - χ i n Committed oblivious transfers Output: - t i = r i + (x i y i ) - random values i Common Output: C i =Com(t i, i )

31 30 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FULLY SECURE SCHEME – 3 RD STEP: HAMMING DISTANCE COMPUTATION (1 ST OPTION) Alain Patey / 01/04/2013 / WAHC'13 Common: - A i =Com(a,α i ) -B i =Com(b i,β i ) -C i =Com(t i, i ) Server: - r i ; a i =r i +x i ; b i = r i + (1-x i ) - α i ; β i Client: -t i = r i + (x i y i ) - i Compute R = r 1 + …+r n Compute T = t 1 + …+t n Compute K = Com(2R+n, ∑(α i + β i )) R + proof that K commits to 2R+n Compute K = A 1 …A n B 1 …B n Check the proof Output T-R=dH(X,Y) Same mechanisms for 2 nd option

32 31 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CONCLUSION  Most efficient secure Hamming distance computation in the semi-honest model  Applicable to any linear combination of bit-wise independent functions  Non-reusable  like garbled circuits  unlike homomorphic encryption  Adaptation to the malicious model  Using additive homomorphic encryption and zero-knowledge  Applications to secure image/signal processing  In particular, biometric identification Alain Patey / 01/04/2013 / WAHC'13

33 32 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THANK YOU FOR YOUR ATTENTION  Questions ? Alain Patey / 01/04/2013 / WAHC'13

Download ppt "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."

Similar presentations

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Faster Secure Two-Party Computation Using Garbled Circuits

Faster Secure Two-Party Computation Using Garbled Circuits
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google