470 likes | 580 Views
Cryptography. Lecture 1 2 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Plan. Introduction to multiparty cryptographic protocols. Private Information Retrieval. Traditional scenario. Alice and Bob are attacked by an adversary. Multiparty protocols.
E N D
Cryptography Lecture 12Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net
Plan • Introduction to multiparty cryptographic protocols. • Private Information Retrieval
Traditional scenario Alice and Bob are attacked by an adversary.
Multiparty protocols A group of players wants to perform some task together even though they do not trust each other
This is a vast area Examples: • voting • coin-tossing • auctions • .... Today’s lecture: • Private Information Retrieval
AOL search data scandal (2006) #4417749: • clothes for age 60 • 60 single men • best retirement city • jarrett arnold • jack t. arnold • jaylene and jarrett arnold • gwinnett county yellow pages • rescue of older dogs • movies for dogs • sinus infection Thelma Arnold 62-year-old widow Lilburn, Georgia
Observation The owners of databases know a lot about the users! This poses a risk to users’ privacy. E.g. consider database with stock prices… Can we do something about it? Yes, we can: • trust them that they will protect our secrecy, or • use cryptography! problematic problematic!
How can crypto help? Note: this problem has nothing to do with secure communication! database D user U
Our settings secure link database D user U A new primitive: Private Information Retrieval (PIR)
Plan • Definition of PIR • An ideal PIR doesn’t exist • Construction of a computational PIR • Open problems • Literature: • B. Chor, E. Kushilevitz, O. Goldreich and M. Sudan,Private Information Retrieval, Journal of ACM, 1998 • E. Kushilevitz and R. Ostrovsky • Replication Is NOT Needed: SINGLE Database, • Computationally-Private Information Retrieval, FOCS 1997
Question How to protect privacy of queries? database D user U wants to retrieve some data from D shouldn’t learn what U retrieved
Let’s make things simple! ? databaseB: index i = 1,…,w the user should learn Bi each Bi є {0,1} (he may also learn otherBi’s)
Trivial solution The database simply sends everything to the user!
Non-triviality The previous solution has a drawback: the communication complexity is huge! Therefore we introduce the following requirement: “Non-triviality”: the number of bits communicated betweenUand D has to be smaller than w.
correctness secrecy (of the user) non-triviality Private Information Retrieval (PIR) polynomial time randomized interactive algorithms This property needs to be defined more formally! input: input: index i = 1,…,w • at the end the user learns Bi • the database does not learn i • the total communication is < w • Note: secrecy of the database is not required
query Q(i) reply A(Q(i),B) How to define secrecy of the user [1/2]? Def. T(i,B)– transcript of the conversation. i B
How to define secrecy of the user [2/2]? Secrecy of the user: for every i,j є {0,1} ? single-round case: it is impossible to distinguish between Q(i) and Q(j) multi-round case: it is impossible to distinguish between T(i,B) and T(j,B) even if the adversary is malicious • What does it mean? • For now say: • the distribution of Q(i) and Q(j) is the same
PIR doesn’t exists [1/4] We now show that correctness, non-triviality and secrecycannot be satisfied simultaneously. Def: A transcript Tis possiblefor (i,B) if P(T(i,B) = T) > 0 Take some T’,and look where it is possible: databases B indices i
PIR doesn’t exists [2/4] Observation: secrecy→if T’ is possible for someB and i then it is possible forB and all the other i’s databases B indices i
PIR doesn’t exists [3/4] non-triviality→ length(transcript) < length(database) ↓ # transcripts < #databases ↓ there has to exist T’ that is possible for two databases B0 and B1 ← B0 databases B ←B1 indices i
PIR doesn’t exists [4/4] B0 and B1 differ on at least one index i’ So, if i’ is the input of the user then correctness → contradiction i’ ↓ ← B0 databases B ←B1 indices i
So PIR doesn’t exist! • How to bypass the impossibility result? • Two ideas: • limit the computing power of a cheating database • use a larger number of “independent” databases
Computationally-secure PIR secrecy: computational-secrecy: ? For every i,j є {0,1} it is impossible to distinguish efficiently between T(i,B) and T(j,B) Formally: for every polynomial-time probabilistic algorithm A the value: |P(A(T(i,B)) = 0) – P(A(T(j,B))=0)| should be negligible.
Hardness assumptions? [KO97] – construct PIR based on the Quadratic Residuosity Assumption We describe it on the next slides.
Favourite cryptographers’ group p,q – large random primes (|p|=|q|=21024,say) RSA group: Zn*,where n=pq
Chinese remainder theorem Chinese remainder theorem (CRT): For n = pq (where p and q are prime) a function λ: Z*n → Z*p × Z*q defined as λ(i) := (i mod p, i mod q) is an isomorphism.
Example λ(i) := (i mod p, i mod q) Z5* Z15 0 1 2 3 4 0 6 12 3 9 Z3* 10 1 7 13 4 Z15* 5 11 2 8 14
Quadratic Residues Def. x isquadratic residue modulomifthere exists a є Zm* such that x = a2 mod m QR(m) := the set of all quadratic residues modulo m. QNR(m) := Zm* \ QR(n) Z13*: a a2: QR(13): Observation: every quadratic residue modulo 13 has exactly2 square roots, and hence |QR(13)| = |Z13*| / 2.
A Lemma about QRs modulo prime p Lemma: For every prime p we have QR(p) = (p-1)/2 Remark: Letgbe a generator ofZp*. ThenQR(p) = {g0,g2,g4,g6,...,gp-3}. QNR(p) = {g1,g3,g5,g7,...,gp-2}.
QRs modulo pq Z15*: a a2 QR(15): Observation: every quadratic residue modulo 15 has exactly4 square roots, and hence |QR(15)| = |Z15*| / 4.
A Lemma about QRs modulo pq Fact: For n=pq we have |QR(n)| = |Zn*| / 4. Proof: x є QR(n) iff x = a2 mod n, for some a iff (by CRT) x = a2 mod p and x = a2 mod q iff x mod p є QR(p) and x mod q є QR(q) mod p Zn*: QR(p) QR(q) QR(n) mod q
QRs modulo pq – an example 22 mod 5 32 mod 5 12 mod 5 42 mod 5 QR(5) Z15: 0 1 2 3 4 0 6 12 3 9 QR(3) 10 1 7 13 4 5 11 2 8 14 12 mod 3 22 mod 3 QR(5) Z15*
Homomorphism of QR(pq) Q(n,a) = Homomorphism: for all a,bє Zn* Q(n,ab) = Q(n,a) xor Q(n,b) (exercise) 1 if a є QR(n) 0 otherwise
Algorithmic questions about QR • Suppose n=pq • Is it easy to test membership in QR(n)? • Fact: if one knows p and q – yes! • What if one doesn’t know p and q?
Quadratic Residuosity Assumption (QRA) n=pq, where p and q are large primes Note: Zn+is a group! ? a є Zn+ ↓ Zn*: QR(p) QNR(p) • Zn+: • all aє Zn*: such that • a mod p є QR(p) • iff • a mod qє QR(q) QR(q) QR(n) QNR(q) Quadratic Residuosity Assumption (QRA): For a random aєZn+ it is computationally hard to determine if a є QR(n). Formally: for every polynomial-time probabilistic algorithm G the value: |P(G(a) = Q(a)) – 0.5| (where ais random) is negligible.
We are ready to construct PIR! Our PIR will work in the group Zn+, where n=pq. What’s so good about this group?: • testing membership in Zn+ is easy, • testing membership in QR(n) is hard for random elements on Zn+, unless one knowspandq. • homomorphism of Q!
for every j = 1,...,wthe database sets Yj = { Xj2 ifBj = 0 Xjotherwise M First (wrong) idea i i ↓ Yi is a QR iffBi=0 M is a QR iffBi=0 the user checks if M is a QR SetM = Y1· Y2 · ... · Yw
PIR from the previous slide: correctness√ security? To learn i the database would need to distinguish NQR from QR. √ Problems! • non-triviality? doesn’t hold! communication: user → database: |B|· |Z*n| database→ user: |Z*n| Call it: (|B|, 1) - PIR
How to fix it? consider each row as a separate database Idea:Given: construct Suppose that |B|= v2 and present Bas a v×v-matrix:
execute v (v,1)- PIRsin parallel An improved idea v Looks even worse: communication: user → database: v2· |Z*n| database→ user: v·|Z*n| v The method Let j be the column where Biis. In every “row” the user asks for the jth element So, instead of sending v queries the user can send one! Observe: in this way the user learns all the elements in the jth column! j ↓ Bi
for every j = 1,...,vset Yj = { Xj2 ifBj = 0 Xjotherwise Putting things together jth column i kth row here the same row is copied v times: only thiscounts multiply elements in each row Bj=0 iff Mkis QR
So we are done! PIR from the previous slide: • correctness√ • non-triviality:communication complexity = 2√|B|· |Zn| √ • security? The to learn i the database would need to distinguish NQR from QR. Formally: fromany adversary that breaks our schemewe can constructan algorithm that breaks QRA simulates:
(X1,…,Xv) (M1,…,Mv) Improvements database D user U the user is interested just in oneMi. Idea: apply PIR recursively!
Complexity of PIRs – overview of the results their conclusion: It is the time-complexity that matters. In real-life: it is still more practical to transmit the entire database. Communication: • “recursive” PIR of [KO97]: for every c: O(|B|c) • [Cachin, Micali, Stadler, 1999]: poly-logarithmic in |B| • [Lipmaa, 2005]: O(log2|B|) For practical analysis see: • [Sion, Carbunar] On the Computational Practicality of Private Information Retrieval.
Extensions • Symmetric PIR (also protect privacy of the database). [Gertner, Ishai, Kushilevitz, Malkin. 1998] • Searching by key-words [Chor, Gilboa, Naor, 1997] • Public-key encryption with key-word search [Boneh, Di Crescenzo, Ostrovsky, Persiano]
Open problems: • Improve efficiency. • Construct new extensions. What was the key property that we used? homomorphism of QR Holy grail: fully-homomorphic encryption
Fully-homomorphic encryption Observe that we constructed a 1-bit probabilistic public-key encryption scheme: { Enc(X) = Which has the following homomorphic with respect to xor: Enc(X xor Y) = Enc(X) • Enc(Y) It would be really useful to have an encryption scheme homomorphic with respect to: conjunction and negationsimultaneously.