CloSer WP2: Privacyenhancing Technologies Jian Liu, Sara Ramezanian
Overview Seek to understand how user privacy is impacted by cloud-assisted security services Develop a suite of privacy-enhancing technologies for ensuring privacy for end user and customer and organizational data in WP1 and other scenarios 2
Overview of CloSer PETs 1. Oblivious Neural Networks 2. Private Membership Test 3. Private Graph Search 3
Oblivious Neural Networks
Oblivious Neural Networks (ONN) Cloud-based prediction are increasingly popular but risk privacy: clients need to disclose potentially sensitive input data to server. 5
Oblivious Neural Networks (ONN) Cloud-based prediction are increasingly popular but risk privacy: clients need to disclose potentially sensitive input data to server. Our solution, OMaxNets, allows a neural network model to be made privacy-preserving server learns nothing about clients' input; clients learn nothing about the model. More general and significantly faster than state-of-the-art 6
Oblivious Neural Networks (ONN) Applicable scenarios Android App reputation assessment (cf. F-Secure usage scenario) Fake base station detection (cf. Nokia usage scenario) Website reputation (cf. F-Secure usage scenario) 7
Machine learning as a service (MLaaS) input model input predictions Risk: violate clients privacy 8
Running predictions on client-side model model input model Risks: difficult to update model competitors may steal model attacker can exploit model to circumvent security applications may reveal training data 9
State-of-the-art: CryptoNets model encrypted input encrypted predictions Risks: high overhead: 297.5s and 372MB, due to fully homomorphic encryption only toy activation function, low-degree polynomials 10
Our approach encrypted input model oblivious protocols encrypted predictions Benefits Low overhead: Additively homomorphic encryption Secure two-party computation Generic Supports ReLU and Maxpooling Models Latencey (s) Message sizes (MB) Accuracy % MNIST 3.86 38.58 97.88 NORB 16.08 114.28 91.62 CIFAR-10 755.90 542.60 81.61 11
Our approach encrypted input model oblivious protocols encrypted predictions Benefits Low overhead: Additively homomorphic encryption Secure two-party computation Generic Supports ReLU and Maxpooling Models Latencey (s) Message sizes (MB) Accuracy % MNIST 3.86 38.58 97.88 NORB 16.08 114.28 91.62 CIFAR-10 755.90 542.60 81.61 Poster and demo this afternoon 12
Private Membership Test
Private membership test The problem: How to preserve end user privacy when querying cloud-hosted databases? q? x 1 x 2 x 3 x n User Lookup Server c 14
Private membership test Applicable scenarios Android App reputation assessment (cf. F-Secure usage scenario) Fake base station detection (cf. Nokia usage scenario) Website reputation (cf. F-Secure usage scenario) 15
Private Membership Test with Trusted Hardware Trusted Execution Environments (TEEs) are ubiquitous ARM TrustZone, Intel SGX, Can TEEs provide a practical solution for Private Membership Test? 16
Carousel approach REE Lookup Server TEE Dictionary provider x 1 x 2... x n Dictionary: X Encode Untrusted application y 1 y 2... y m Trusted application r = ( q Y ) Dictionary representation: Y Query representation Mobile device A h(apk) Query: q Query buffer User Response: r Response buffer Secure channel with remote attestation 17
Performance: Steady State Query Arrival Breakdown points Kinibi on ARM TrustZone Intel SGX 18
Performance: Steady State Query Arrival Breakdown points Kinibi on ARM TrustZone Intel SGX Received an Honorable Mention in the best paper competition at the ACM ASIACCS 2017, Abu Dhabi, UAE Poster this afternoon 19
c Private Membership Test with Crypto (1) q? x 1 x 2 x 3 x n k User E(x 1 ) E(x 2 ) E(x 3 ) E(x n ) {H i } 1 0 1 0 20 2 0 220 0 20
c Private Membership Test with Crypto (1) q? x 1 x 2 x 3 x n User 1 0 1 0 21 21
c Private Membership Test with Crypto (1) q? q k x 1 x 2 x 3 x n User E(q) Blind Signature 1 0 1 0 22 22
Part 2: Private Membership Test with Cryptographic Protocols
Bloom Filter and Cuckoo Filter Bloom filter and Cuckoo filter are probabilistic space-efficient data structures. Used to test whether an item is a member of a set. A query from these filters may result in False Positive (but never False Negative). Suitable to store big databases. 24
Server Private Membership Test with Homomorphic Encryption Divides its database into 2 2a different subsets. Inserts each subset into a Bloom/Cuckoo filter. Divides the filter to b fragments. Arranges b matrices of size 2 a 2 a with fragments of the filters as elements. 2 a 2 a 2 a 2 a Sara Ramezanian, Tommi Meskanen, Masoud Naderpour, Valtteri Niemi. Private Membership Test Protocols with Low Communication Complexity 25
Private Membership Test with Homomorphic Encryption Client encrypts the indices of the item x as (α i ) and (β j ), sends these vectors to the Server. 2 a 2 a 2 a 2 a α 1 = E 1, α 2 = E 0, α 3 = E 0,, α 2 a = E 0 β 1 = E 0, β 2 = E 1, β 3 = E 0,, β 2 a = E 0 Sara Ramezanian, Tommi Meskanen, Masoud Naderpour, Valtteri Niemi. Private Membership Test Protocols with Low Communication Complexity 26
Private Membership Test with Homomorphic Encryption Homomorphic encryption allows server to search in the matrix without knowledge of client s private key. Server sends the result to Client. Client decrypts the result. Outcome: Retrieves a Bloom/Cuckoo filter. Now, the client can query the item x through this filter. Sara Ramezanian, Tommi Meskanen, Masoud Naderpour, Valtteri Niemi. Private Membership Test Protocols with Low Communication Complexity 27
Privacy-Preserving Anti-malware Services Scenario: A Server holds a database of 2 21 malware fingerprints. The database is approximately 40 MB. A client wants to check whether his/her file is clean, without revealing it to the server. Sara Ramezanian, Tommi Meskanen, Masoud Naderpour, Valtteri Niemi. Private Membership Test Protocols with Low Communication Complexity 28
Anti-malware Services with PMT Protocols Communication Complexities Client sends 8KB data to the Server. Server sends 16KB data to the Client. Time Complexities Client spends 1.8s to generate (α i ) and (β j ). Server spends 0.9s to calculate the result. The execution time depends on the processor which has been used to perform the computation. We used an x86-64 Intel Core i5 processor clocked at 2.7 GHz with a 4 MB L3 cache. Poster and demo this afternoon 29
Private graph search Two lists of triplets: (user, host, fingerprint) and (fingerprint, user, host) These define trust relations between users on different hosts. This database can be illustrated as a directed graph. (User,Host) Fingerprints (User,Host) 30
Private graph search What kind of paths can be found in the graph? We would like to use a cloud not allowed to know the graph. An entity is able to query the cloud if there is a path from A to B in the graph. Nobody else should learn the answer (not cloud, not graph owner). 31
Trust relations Between Users (User,Host) (User,Host) 32
Graph of User-Host pairs (User,Host) C A D B E F 33
Transitive Closure Graph of User-Host pairs (User,Host) C A D B E F 34
Transitive Closure Graph of Fingerprints The same process can be done for fingerprints: Fingerprints 35
Transitive Closure Matrix of User-Host pairs (User,Host) A B C D E F A B C D E F 1 1 1 0 0 0 0 1 1 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 0 0 0 0 0 1 A C D E B F 36
Queries on Transitive Closure 1) Encrypted graph matrix (*) There are three parties: Owner of the graph, the Querier and the Cloud (*)Meskanen, T., Liu, J., Ramezanian, S., & Niemi, V. (2015, August). Private membership test for bloom filters. In Trustcom/BigDataSE/ISPA 37
Conclusion Oblivious neural networks for privacy-preserving predictions poster / demo Two private membership test schemes for privacy-preserving malware checking Crypto based solution: poster / demo / paper (under submission) Hardware security based solution: poster / paper (AsiaCCS 17) Private graph search for cloud-assisted trust relation databases 38