Download presentation
Presentation is loading. Please wait.
Published byClaire Templeton Modified over 11 years ago
1
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS
2
2 So, is there Hope for Privacy? No! Privacy is doomed! Enjoy your sandwiches … : Is this what we invited you for? On second thought, the digital world gives new hope for privacy! – Selling digital goods (w/ Bill Aiello and Yuval Ishai) – Keyword database search (w/ Mike Freedman, Yuval Ishai, and Benny Pinkas)
3
3 Day to Day Breaches of Privacy When/how can it be better?
4
4 Anonymity? Alice Bob And Betty, when you call me, you can call me Al! I can call you Betty, Call me Al...... Not in this Talk!
5
5 Selling Digital Goods How good are digital goods? – Entertainment: TV, music, video, books, software – Business: news, stock quotes, patents, layoff rumors – Research: papers, research databases, clip-art Whats special about digital goods? – Typically of unlimited supply (easy to duplicate). – Easy to communicate and manipulate Main goal: protect the privacy of clients – What – When – How much – (But not who)
6
6 Example Vendor Buyer, Key of Encrypted Individually
7
7 Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: – Input: Vendor:x 1,x 2,…,x n Buyer: 1 j n – Output: Vendor: nothing Buyer: x j – Privacy: Vendor:learns nothing about j Buyer:learns nothing about x i for i j 4 – Not necessarily two messages – Related notions: Private Information Retrievable [CGKS] / Symmetrically- Private Information Retrievable [GIKM] X1X1 … X2X2 X3X3 X4X4 XnXn XjXj j
8
8 Priced OT [AIR] Vendor Buyer Initial payment $ b 0 Set b=b 0 Vendor Buyer Prices: p 1, p 2, … p n Items: k 1, k 2, … k n i kiki b b - p i k0,k0, p 0 =0,
9
9 Comparison with E-cash [Cha85,CFN88,...] E-cash Priced OT Payment digital any Goods any digital Hides who what + Access to goods anonymous any Buyer Vendor
10
10 General Perspective Priced OT is an instance of secure two-party computation. Theoretical plausibility result are known [Yao,GMW]. However: General solutions are costly (computation, bandwidth, rounds). A major endeavor in cryptography: Identifying interesting specific problems and suggesting more efficient solutions.
11
11 Tool: Homomorphic Encryption Plaintexts from (G,+) E(a),E(b) E(a+b) E(a),c E(c·a) |G| large prime Can use either additive G=Z P or multiplicative G Z * P In particular, can use El-Gamal.
12
12 Conditional Disclosure of Secrets [GIKM,AIR] Buyer Honest Buyer: V(q) = True How to protect against a malicious Buyer? – Method 1: Buyer proves in ZK that V(q) = True; – Method 2: Vendor disclose a subject to the condition V(q) = True. Notation: CDS( a ; V(q) ) E(q),pk E(a) Vendor (sk,pk) E(CDS( a ; V(q) )) a
13
13 Conditional Disclosure of Secrets - Implementation Buyer a,q,i G CDS(a ; q=i) : a+r(q-i) r R {1,…,|G|} E is homomorphic - E(CDS( a ; V(q) )) can be computed from E(q) Information-theoretic security for Vendor (hides a). Need to verify validity of pk; Easy for El-Gamal! E(q),pk (sk,pk) E(CDS( a ; V(q) )) Vendor a
14
14 Application: 1-Round OT * [AIR,NP] (sk,pk) E(q),pk Vendor Buyer x1x1 x2x2 xnxn q E(CDS(x 1 ; q =1)), …, E(CDS(x n ; q =n)) * Weakened / incomparable notion of security vs. simulation: Vendors security: purely information-theoretic Buyers security: privacy only.
15
15 Database Search OT/PIR/SPIR allow to privately retrieve the i th entry of a database. Efficiency depends linearly (at least) on the size of the database. Sometime this is not enough. For example, consider a list of fraudulent card numbers. A merchant wants to check if a particular number is in the least. Use OT/PIR? – Table of 10 16 2 53 entries, 1 if fraudulent, 0 otherwise? Works on supporting more general database search.
16
16 Keyword Search (KS): definition Input: – Server: database X={ (x i,p i ) }, 1 i N x i is a keyword (e.g. number of a corrupt card) p i is the payload (e.g. why card is corrupt) – Client: search word w (e.g. credit card number) Output: – Server: nothing – Client: p i if i : x i = w otherwise nothing Client output: (x j,p j ) iff w=x j …(x 1,p 1 )(x n,p n )(x 2,p 2 ) Server: Client: w
17
17 Conclusions Our expectation of privacy in the digital world should not be bounded to our physical world experiences. The ability to duplicate, manipulate and communicate digital information is key. Very powerful cryptographic tool in the form of secure function evaluation. Research on efficient instantiations, possibly with some security relaxations.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.