CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Transcription

1 CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong

2 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and security definitions General constructions Specialized protocols

3 Basic notation Plaintext (m): the original message Ciphertext (c): the coded message Secret key (k): info used in cipher known only to sender/receiver Encryption function E k (m): performs substitutions/ transformations on plaintext Decryption function D k (c): inverse of encryption algorithm Efficiency: functions E K and D K should have efficient algorithms Consistency: Decrypting the ciphertext yields the plaintext D K (E K (m)) = m

4 Operational model of encryption m plaintext E E k (m) ciphertext D D k (E k (m)) = m k encryption key attacker k decryption key 4 Kerckhoff s assumption: attacker knows E and D attacker doesn t know the (decryption) key attacker s goal: to systematically recover plaintext from ciphertext to deduce the (decryption) key attack models: ciphertext-only (COA) known-plaintext (KPA) (adaptive) chosen-plaintext (CPA) (adaptive) chosen-ciphertext (CCA)

5 Symmetric Encryption or conventional / secret-key / single-key sender and recipient share a common key Scenario: Alice wants to send a message (plaintext P) to Bob The communication channel is insecure and can be eavesdropped If Alice and Bob have previously agreed on a symmetric encryption scheme and a secret key K, the message can be sent encrypted (ciphertext C)

6 Symmetric Key Cryptography K A-B K A-B plaintext message, m encryption algorithm ciphertext decryption plaintext algorithm c=k A-B (m) K (m) m = K ( ) A-B A-B symmetric key crypto: Bob and Alice share the same (symmetric) key: K A-B

7 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

8 Private-Key Cryptography traditional private/secret/single key cryptography uses one key Sender and receiver must share the same key needs secure channel for key distribution impossible for two parties having no prior relationship if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender

9 Public-Key Cryptography uses two keys a public & a private key asymmetric since parties are not equal complements rather than replaces private key crypto neither more secure than private key (security depends on the key size for both) nor do they replace private key schemes (they are too slow to do so)

10 Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures Encryption: c = E pk (m) Decryption: m = D sk (c) is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures

11 Public-Key Cryptography

12 Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) Many can encrypt, only one can decrypt

13 RSA (Rivest, Shamir, Adleman, 1978) basis intractability of integer factoring Setup: select p, q large primes n = pq, ф(n)= (p-1)(q-1) select e relatively prime to ф(n) compute d such that ed mod ф(n) = 1 Keys: public key: K E = (n,e) private key: K D = d Encryption: Plaintext m c = m e mod n Decryption: Example: Setup: p =7, q=17 n = 7*17 = 119 ф(n) = 6 *16 = 96 e= 5 d= 77 Keys: public key: K E = (119, 5) private key: K D = 77 Encryption: m = 19 c = 19 5 mod 119 = 66 Decryption: m= c d 13 mod n m= mod 119 = 19

14 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

15 Motivation General framework for describing computation between parties who do not trust each other Example: elections N parties, each one has a Yes or No vote Goal: determine whether the majority voted Yes, but no voter should learn how other people voted Example: auctions Each bidder makes an offer Offer should be committing! (can t change it later) Goal: determine whose offer won without revealing losing offers slide 15

16 More Examples Example: distributed computation/data mining/machine learning Two companies want to perform computation/learning over their datasets without revealing them Compute the intersection of two lists of names Distributed learning Example: private queries on secure database Evaluate a query on the database without revealing the query to the database owner and without revealing data to the querier Many variations slide 16

17 Secure Multiparty Computation A set of parties with private inputs wish to compute some joint function of their inputs. Parties wish to preserve some security properties. e.g., privacy and correctness. Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party.

18 Yao s Millionaire Problem Two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. This problem is analogous to a more general problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

19 How to Define Security? Must be mathematically rigorous Must capture all realistic attacks that a malicious participant may try to stage Should be abstract Based on the desired functionality of the protocol, not a specific protocol Goal: define security for an entire class of protocols slide 20

20 Functionality K mutually distrustful parties want to jointly carry out some task Model this task as a function f: ({0,1}*) K ({0,1}*) K K inputs (one per party); each input is a bitstring K outputs Assume that this functionality is computable in probabilistic polynomial time slide 22

21 Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model

22 Ideal Model Intuitively, we want the protocol to behave as if a trusted third party collected the parties inputs and computed the desired functionality Computation in the ideal model is secure by definition! x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 24

23 More Formally A protocol is secure if it emulates an ideal setting where the parties hand their inputs to a trusted party, who locally computes the desired outputs and hands them back to the parties [Goldreich-Micali-Wigderson 1987] x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 25

24 Real world No trusted third party Participants run some protocol amongst themselves without any help Despite that, secure protocol should emulate an ideal setting. Real protocol that is run by the participants is secure if no adversary can do more harm in real execution than an execution that takes place in the ideal world

25 Adversary Models Some of protocol participants may be corrupt If all were honest, would not need secure multi-party computation Semi-honest (aka passive; honest-but-curious) Follows protocol, but tries to learn more from received messages than he would learn in the ideal model Malicious Deviates from the protocol in arbitrary ways, lies about his inputs, may quit at any point For now, we will focus on semi-honest adversaries and two-party protocols slide 27

26 Properties of the Definition How do we argue that the real protocol emulates the ideal protocol? Correctness All honest participants should receive the correct result of evaluating function f Because a trusted third party would compute f correctly Privacy All corrupt participants should learn no more from the protocol than what they would learn in ideal model What does corrupt participant learn in ideal model? His input (obviously) and the result of evaluating f slide 28

27 Simulation Corrupt participant s view of the protocol = record of messages sent and received In the ideal world, view consists simply of his input and the result of evaluating f How to argue that real protocol does not leak more useful information than ideal-world view? Key idea: simulation If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the idealworld view, then real-world protocol is secure Simulation must be indistinguishable from real view slide 29

28 Security proof tools Real/ideal model: the real model can be simulated in the ideal model Key idea Show that whatever can be computed by a party participating in the protocol can be computed based on its input and output only polynomial time S such that {S(x,f(x,y))} {View(x,y)}

29 Security proof tools Composition theorem if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure Prove that component protocols are secure, then prove that the combined protocol is secure

30 Outline Secure multiparty computation Defining security General constructions

31 General Constructions Yao s Garbled circuit protocol Use Oblivious transfer for securely selecting a value Represent function as an arithmetic circuit with addition and multiplication gates From passively-secure protocols to activelysecure protocols Use zero-knowledge proofs to force parties to behave in a way consistent with the passivelysecure protocol

32 1-out-of-2 Oblivious Transfer (OT) 1-out-of-2 Oblivious Transfer (OT) Inputs Sender has two messages m 0 and m 1 Receiver has a single bit {0,1} Outputs Sender receives nothing Receiver obtain m and learns nothing of m 1-

33 Oblivious Transfer (OT) Fundamental MPC primitive 1-out-of-2 Oblivious Transfer (OT) [Rabin 1981] m 0, m 1 = 0 or 1 S m R S inputs two bits, R inputs the index of one of S s bits R learns his chosen bit, S learns nothing S does not learn which bit R has chosen; R does not learn the value of the bit that he did not choose slide 35

34 Semi-Honest OT Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Encryption: c = E pk (m) Decryption: m = D sk (c) Assume that a public-key can be sampled without knowledge of its secret key: Oblivious key generation: pk OG El-Gamal encryption has this property

35 Semi-Honest OT Protocol for Oblivious Transfer Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one public-key pk (oblivious of secret-key). Receiver sets pk = pk, pk 1- = pk Note: receiver can decrypt for pk but not for pk 1- Receiver sends pk 0,pk 1 to sender Sender (with input m 0,m 1 ): Sends to receiver c 0 =E pk0 (m 0 ), c 1 =E pk1 (m 1 ) Receiver: Decrypts c using sk and obtains m.

36 Security Proof Intuition: Sender s view consists only of two public keys pk 0 and pk 1. Therefore, it doesn t learn anything about that value of. The receiver only knows one secret-key and so can only learn one message Note: this assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

37 Generalization Can define 1-out-of-k oblivious transfer Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair

38 Yao s Protocol Compute any function securely in the semi-honest model First, convert the function into a boolean circuit AND Alice s inputs AND NOT Bob s inputs AND OR OR x z AND y Truth table: z x y z x y z OR Truth table: x y slide 40

39 1: Pick Random Keys For Each Wire Next, evaluate one gate securely Later, generalize to the entire circuit Alice picks two random keys for each wire One key corresponds to 0, the other to 1 6 keys in total for a gate with 2 input wires k 0z, k 1z z Alice x AND y Bob k 0x, k 1x k 0y, k 1y slide 41

40 2: Encrypt Truth Table Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z k 0z, k 1z Alice x AND y Bob k 0x, k 1x Original truth table: k 0y, k 1y x y z Encrypted truth table: E k 0x (E k0y (k 0z)) E k 0x (E k1y (k 0z)) E k 1x (E k0y (k 0z)) E k 1x (E k1y (k 1z)) slide 42

41 3: Send Garbled Truth Table Alice randomly permutes ( garbles ) encrypted truth table and sends it to Bob Alice k 0z, k 1z x z AND y Does not know which row of garbled table corresponds to which row of original table Bob E (E k 0x k0y (k 0z)) E (E k 0x k1y (k 0z)) E (E k 1x k0y (k 0z)) E (E k 1x k1y (k 1z)) k 0x, k 1x k 0y, k 1y Garbled truth table: E (E k 1x k0y (k 0z)) E (E k 0x k1y (k 0z)) E (E k 1x k1y (k 1z)) E (E k 0x k0y (k 0z)) slide 43

42 4: Send Keys For Alice s Inputs Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is Alice k 0z, k 1z k 0x, k 1x k 0y, k 1y x z AND y Bob Learns K b x where b is Alice s input bit, but not b (why?) Garbled truth table: E (E k 1x E (E k0y (k 0z)) k 0x k1y (k 0z)) E (E k 1x E (E k1y (k 1z)) k 0x k0y (k 0z)) If Alice s bit is 1, she simply sends k 1x to Bob; if 0, she sends k 0x slide 44

43 5: Use OT on Keys for Bob s Input Alice and Bob run oblivious transfer protocol Alice s input is the two keys corresponding to Bob s wire Bob s input into OT is simply his 1-bit input on that wire Alice k 0z, k 1z x z AND y Bob Knows K b x where b is Alice s input bit and K by where b is his own input bit k 0x, k 1x k 0y, k 1y Garbled truth table: E (E k 1x E (E k0y (k 0z)) k 0x k1y (k 0z)) E (E k 1x E (E k1y (k 1z)) k 0x k0y (k 0z)) Run oblivious transfer Alice s input: k 0y, k 1y Bob s input: his bit b Bob learns k by What does Alice learn? slide 45

44 6: Evaluate Garbled Gate Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 Why is this important? Alice k 0z, k 1z k 0x, k 1x k 0y, k 1y x z AND y Garbled truth table: Bob Knows K b x where b is Alice s input bit and K by where b is his own input bit E (E k 1x E (E k0y (k 0z)) k 0x k1y (k 0z)) E (E k 1x E (E k1y (k 1z)) k 0x k0y (k 0z)) Suppose b =0, b=1 This is the only row Bob can decrypt. He learns K 0z slide 46

45 7: Evaluate Entire Circuit In this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) Therefore, Bob does not learn intermediate values (why?) AND Alice s inputs AND NOT Bob s inputs AND OR OR Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) slide 47

46 Summary GMW paradigm: First, construct a protocol for semi-honest adv. Then, compile it so that it is secure also against malicious adversaries There are different ways to construct secure protocols Garbled circuit Secret sharing Homomorphic encryption Efficient protocols against semi-honest adversaries are far easier to obtain than for malicious adversaries.

47 Slides credits Tutorial on secure multi-party computation, Lindell Introduction to secure multi-party computation, Vitaly Shmatikov, UT Austin Introduction to Cryptography, Yehuda Lindell, Bar Ilan University, IL Information Security Management, UTC