1 / 17

Computational Privacy

Computational Privacy. Overview. Goal : Allow n -private computation of arbitrary funcs. Impossible in information-theoretic setting Computational setting : Adversary and simulator are bounded to probabilistic polynomial time.

tanner-walton
Download Presentation

Computational Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computational Privacy

  2. Overview • Goal: Allow n-private computation of arbitrary funcs. • Impossible in information-theoretic setting • Computational setting: • Adversary and simulator are bounded to probabilistic polynomial time. • REAL and IDEALshould only be computationally indistinguishable. • relaxes information-theoretic privacy (bounded simulator variant) • Main theorem: Every functionality can be computed with computational n-privacy (under standard cryptographic assumptions). • Enough to show computationally n-private protocol for MSADD, where ADD is additive secret-sharing over GF(2). • Theorem holds also with insecure channels.

  3. Security Parameter • In a computational setting, all participants receive a security parameter k. • Players, adversary, and simulator run in time poly(k); • Security is defined with respect to k: informally, any environment running in time poly(k) cannot distinguish between REAL and IDEAL, except with an advantage which vanishes super-polynomially in k. • Convention: make k implicit in input length • Input domain X will include all n-tuples of strings with equal lengths. • Security parameter: k = |xi| • Every (partial) functionality f:({0,1}*)n →{0,1} can be augmented into a (partial) functionality f ’ defined over X via input padding. • To effectively achieve security level k, players can pad their inputs to length k (if needed). • Note: must assume an upper bound on input length is made public. • Alternative convention: players and adversaries receive k as an additional input; all algorithms are efficient in k.

  4. Distribution Ensembles • Given an infinite index set X, we let {D(x)}xX denote a distribution ensemble: a family of distributions over {0,1}* indexed by X. • Sometimes use D(x) or simply D when X is understood from the context • Typical choices of X: • X = N (natural numbers) • X = n-tuples of strings of equal length (input vectors) • With each index xX associate a length |x| • if xN let |x| =x • if x is an n-tuple of k-bit strings, let |x| =kn • D(x) is typically distributed over {0,1}p(|x|), for some polynomial p.

  5. Notions of Closeness • Def. A function  : N→[0,1] is negligible if, for every const. c>0, (k)=o(1/kc). • Equivalently: for every c>0 there is k0 s.t. for every k> k0, (k)<1/kc. • Note: neg * poly = neg • Def. Let D(x), D’(x) be distribution ensembles. We say that D,D’ are: • perfectly indistinguishable (denoted DD’) if D(x)D’(x) for every x; • statistically indistinguishable (denoted DsD’) if for every function (distinguisher) Z there is a negligible function (k) such that for every x | Pr[Z(D(x))=1] - Pr[Z(D’(x))=1] | < (|x|) • computationally indistinguishable (denoted DcD’) if for every efficient distinguisher Z and poly-size advice sequence (ak)kN, there is a negligible function (k) such that for every x: | Pr[Z(D(x), a|x|)=1] - Pr[Z(D’(x), a|x|)=1] | < (|x|) • Advice makes distinguisher nonuniform: stronger than randomized. • Equivalent to distinguishing using poly-size circuits.

  6. Security Definition Revisited • We say that the protocol  securely computes the functionality f (w.r.t. a given class of adversaries) if for every adversary A there is a simulator S such that: • REAL,A(x) IDEALf,S(x)  perfect security (time(S)  poly(time(A)) • REAL,A(x)s IDEALf,S(x)  stat. security (time(S)  poly(time(A)) • REAL,A(x)c IDEALf,S(x)  comp. security (time(A),time(S)poly(|x|)

  7. Main Theorem • Thm. Every efficiently computable functionality f admits a computationally n-private protocol. • Proof outline: • Define a simple 2-party OT functionality and realize it by a computationally private protocol. • Obtain a perfect n-private reduction from MSADD to OT. • Using a computational variant of the composition theorem, obtain a computationally n-private protocol for MSADD. • Use the circuit-based protocol we’ve seen for reducing f to MSADD. • frestricted to inputs of length k can be computed by an arithmetic circuit C of size poly(k) over F=GF(2). • Use the composition theorem once again to obtain a computationally n-private protocol for f.

  8. Composition Theorem • Computationally private reduction from f to g • Inputs of oracle calls to g are as long as original inputs • Allow g to have less than n arguments • High-level protocol f|gspecifies which player is assigned to each input of g. • Can be emulated via a “universal” functionality. • Thm. Let f|g be a computationally -private reduction from f to g and g a computationally -private protocol for g. Then the protocol f obtained from f|g by substituting each call to g with a call to g is a computationally -private protocol for f.

  9. c c   Composition (contd.) f|g f|g Sf|g Sg g Sg • Fact: computational indistinguishability is robust under multiple samples. • If DcD then for every efficient oracle algorithm Z and poly-size advice sequence (ak)kN, there is a negligible function (k) such that for every k: | Pr[ZD(ak)=1] - Pr[ZD’(ak)=1] | < (k) • Proof via a hybrid argument. o/w f|g can be used to distinguish g from Sg o/w Sgcan be used to distinguish f|g from Sf|g REAL IDEAL

  10. Oblivious Transfer • Def. Oblivious Transfer is a (computationally, 1-)private protocol for the following 2-party functionality: OT((d0,d1) , s) = ( , ds) • Player P1 will be called the Sender and P2 theReceiver. • By default d0,d1,sare bits • may be generalized to longer strings or multiple selections. • In the literature, OT often requires security against active adversaries. • OT can be privately reduced to the following simpler functionality: Naïve-OT(d , s) = ( , ds) • To implement OT, call Naïve-OT on inputs (d1, s) and (d0, 1-s).

  11. Public-Key Encryption • Def. A public-key encryption scheme is a triplet of efficient probabilistic algorithms (G,E,D) such that: • G(1k) outputs a pair of keys (pk,sk). • Correctness: for b=0,1, if E(pk,b) outputs c then D(sk,c) outputs b. • Secrecy: E0(k) c E1(k), where Eb(k) is the distribution of (pk,E(pk,b)) where pk is taken from G(1k). • Generalizations: • Larger message domain (e.g., strings of length k). • Allow negligible error probability

  12. Example: Goldwasser-Micali PKE • G picks a pair of random k-bit primes p,q, and lets N=pq, pk=N, and sk=p. • Encryption: • E(pk,b) outputs c=r2vb where rR Z*N and v is non-square modulo bothp,q. • Decryption: • D(pk,c) uses factorization of N to find whether c is a square modulo N. • Security holds under the Quadratic Residuosity Assumption.

  13. Randomizable PKE • Def. Apublic-key encryptionscheme (G,E,D) is randomizable if there is an efficient randomization algorithm R such that given any ciphertext cE(pk,b), R(pk,c) outputs a random c’ distributed according to E(pk,b). • GM scheme is randomizable: multiply c by r2 where rR Z*N.

  14. OT from Randomizable PKE • Enough to implement Naïve-OT(d , s) = ( , ds) • Protocol: • Receiver lets (pk,sk)G(1k) and cE(pk,s), and sends (pk,c) to Sender. • If d=1 sender lets c’R(pk,c) and sends c’ to Receiver;If d=0 it sends c’E(pk,0). • Receiver outputs D(pk,c’). • Simulators: • Sender: let (pk,sk)G(1k) and cE(pk,0), and output (pk,c) along with local randomness. • Receiver with output b: let (pk,sk)G(1k) and output E(pk,b) along with local randomness.

  15. More on OT • OT can also be based on trapdoor permutations (e.g., RSA). • Open question: Does PKE imply OT? • There is no black-box reduction from OT to PKE.

  16. Reducing MSADD to OT • Recall: MSADD maps(a1,…,an) , (b1,…,bn) to (c1,…,cn) where the outputs ci are random subject to ci= (ai)·(bi) and all arithmetic is in GF(2). • Write ci= i,j aibj • Problem would be easy if eachaibj were known to some player. • Idea: use OT to additively share aibj between Pi,Pj • Even by corrupting both Pi,Pj, adv. learns nothing new. • Implementation: Pi acts as Sender and Pj as Receiver • Pi picks a random bit ci,j, which will serve as its share of aibj • Players call OT((d0,d1) , s)where db=aib+ ci,j and s=bj • May be viewed as a private reduction of the following func. to OT: SP(a,b)=(c1,c2) where the outputs are random subject to c1+c2= ab.

  17. Reducing MSADD to OT (contd.) • Given that allaibj are additively shared, we could use a 1-roundn-private protocol to compute an additive sharing of their sum. • Additional interaction is not needed. • Protocol: • For each (i,j) s.t. ij, players Pi,Pj call SP(ai,bj) • emulated via a single call to OT as in previous slide • Let (ciji,cijj) denote the outputs of this call. • Each Pi outputs ci = aibi + j i ciji +j i cjii • Simulator on inputs (aT,bT) , cT: • For each (i,j) s.t. i,j T pick (ciji,cijj) at random subject to ciji+cijj= aibj • The values ciji and cjii such that iT, jT are picked uniformly at random subject to the constraint that they are consistent with cT. • May be done by picking all at random except ciji for some j0[n]\T, and determining the |T| remaining values according to the sum constraints. 0

More Related