330 likes | 560 Views
SHADE: Secure HAmming DistancE computation from oblivious transfer. Julien Bringer, Hervé Chabanne , Alain Patey Workshop on Applied Homomorphic Cryptography (WAHC’13) - Apr. 1 st , 2013 Work partially funded by the ANR SecuLar project and by the European FP7 FIDELITY project.
E N D
SHADE: Secure HAmmingDistancE computation from oblivious transfer Julien Bringer, HervéChabanne, Alain Patey Workshop on AppliedHomomorphicCryptography (WAHC’13) - Apr. 1st, 2013 Workpartiallyfunded by the ANR SecuLarproject and by the European FP7 FIDELITY project
OUtline • Motivations • Secure Biometric Recognition • Secure Computation of Hamming distances: previousproposals • HomomorphicEncryption • Garbled Circuits • SHADE • The basic scheme • The fully-securescheme Alain Patey / 01/04/2013 / WAHC'13
Motivations Alain Patey / 01/04/2013 / WAHC'13
biometricmatching • Biometrics: Images are encodedintofeaturevectors • Biometricmatching: computation of a similaritymeasurebetweentwovectors • Hamming Distance • Euclidean Distance • Scalar Product • … Alain Patey / 01/04/2013 / WAHC'13
Example: Iris • Iriscodes: 256-byte code + 256-byte mask • Maskindicates (in)exploitable data: eyelids, eyelashes, blurred pixels… • Similaritymeasurebetween (X1,M1) and (X2,M2): normalizedHamming distance • HD(X1,X2) = |(X1 ⨁X2) ∩M1 ∩ M2| / |M1 ∩ M2| John Daugman: How iris recognition works. IEEE Trans. Circuits Syst. VideoTechn. (TCSV) 14(1):21-30 (2004) Alain Patey / 01/04/2013 / WAHC'13
Example: FINgerprint • Binaryfeaturevectorfingerprintrepresentation: ~50,000 bit-vectors • Bits indicatepresence/absence of given patterns • Similaritymeasure: usualHamming distance Bringer, J. and Despiegel, V., BinaryfeaturevectorFingerprintrepresentationfromminutiaevicinities, BTAS'10. (2010). Alain Patey / 01/04/2013 / WAHC'13
Example: FAce • Face: SciFIproject • Approachsimilar to the approach of previousslide • 900-bit vectors • (constant 180-bit weight) • Similaritymeasure = usual Hamming distance Margarita Osadchy, Benny Pinkas, AymanJarrous, BoazMoskovich: SCiFI - A System for Secure Face Identification. IEEE Symposium on Security and Privacy 2010:239-254 Alain Patey / 01/04/2013 / WAHC'13
Motivations for securebiometricmatching • Biometric data are • extremely sensitive • hard to revoke • But veryuseful for personal recognition • Need for protection and usabilityat the same time • ⇒Secure computation • Applications • 1 vs N identification • Intersection of biometricdatabases • Deduplication • Anonymousaccess control • … Alain Patey / 01/04/2013 / WAHC'13
Secure Hamming Distance Computation: Previousproposals Alain Patey / 01/04/2013 / WAHC'13
Setting Client Server • Output learnedeither by C, S or both • Privacy: One party does not learn information about the otherparty’s input (except the result) 100110011101 110010010101 Binary string X=(x1,…,xn) Binary string Y=(y1,…,yn) Secure Computation Output: dH(X,Y) =Σ(xi⨁yi) Alain Patey / 01/04/2013 / WAHC'13
HomomorphicEncryption Alain Patey / 01/04/2013 / WAHC'13
XOR-ly/AdditivelyHomomorphicEncryption • E = homomorphiccryptosystem • Goal: compute E(X⨁Y) (or E(dH(X,Y))) from E(X) and Y (or E(X) and E(Y)) • where X and Y are strings • No efficient homomorphiccryptosystem to do thisstraightforward • Goldwasser-Micali: XOR over bits • Paillier: addition over integers • Use of additivelyhomomorphicencryption (Paillier and extensions) • E(X).E(Y)=E(X+Y) • E(X)Y = E(X.Y) Alain Patey / 01/04/2013 / WAHC'13
Secure Hamming distance usingHomomorphicEncryption Client Server Input: X=(x1,…,xn), sk, pk Input: Y=(y1,…,yn), pk E(x1),…,E(xn) Data encryption For i=1..n, E(xi⨁yi)=E(xi)1-2yi.E(yi) E(dH(X,Y))=E(Σ(xi⨁yi)) =Π E(xi⨁yi) E(dH(X,Y)) Computation over encrypted data Decryptionusingsk Output: dH(X,Y) Resultdecryption Recall: x,y∈{0,1} x⊕y = x + y – 2x.y Alain Patey / 01/04/2013 / WAHC'13
Yao’s Protocol Alain Patey / 01/04/2013 / WAHC'13
1-out-of-2 Oblivioustransfer Sender Receiver Inputs: - strings X0 and X1 Input - bit b Output: ∅ Output: - Xb • Sender does not learn b • Receiverlearnsnothing about X1-b Alain Patey / 01/04/2013 / WAHC'13
Garbled Circuits • Garbled circuits: “Encrypted” binary circuits • Random keys are associated with wires (one pair per wire) • Gates are encrypted using these keys • S creates the garbled circuit: • picks random keys and encrypts tables • C evaluates the garbled circuit • Decrypts the garbled tables using one key per input wire • Keys corresponding to S’s inputs are directly sent to C • Keys corresponding to C’s inputs are sent using OT12’s Alain Patey / 01/04/2013 / WAHC'13
Yao’s Protocol Party 1 Party 2 Creates the Garbled Circuit Garbled Circuit, labels of P1’s inputs Labels of P2’s inputs using 1-out-of-2 OT’s Evaluates the Garbled Circuit Obtains f(X,Y) (Optional) f(X,Y) Alain Patey / 01/04/2013 / WAHC'13
Implementation of Yao’sprotocol • Garblingcanbeimplementedusingsymmetriccryptography • Optimizations: • free XOR gates • 25% gatereduction • OT12’s canalsobeimplementedusingsymmetriccryptography • Aftersomepreprocessinginvolving public-keycryptography • Implementations are available • Fairplay, TASTY, Secure Computation Framework… Alain Patey / 01/04/2013 / WAHC'13
summary • Additivelyhomomorphicencryption • Bits are encryptedseparately (ciphertexts are at least 2048-bit long) • Homomorphicoperations are costly • Ciphertextscanbere-used (for another instance of the protocol or anotherfunctionality) • Yao’sprotocol • Mostlysymmetriccryptography • Garbled circuits not reusable • Use of Yao’sprotocol for secureHamming distance computation givesbetter performances thanhomomorphicencryption • Yan Huang, David Evans, Jonathan Katz, Lior Malka: Faster Secure Two-Party Computation UsingGarbled Circuits. USENIX Security Symposium 2011 Alain Patey / 01/04/2013 / WAHC'13
SHADE Alain Patey / 01/04/2013 / WAHC'13
Towards SHADE • Garbled Circuits are big, even for the simple Hamming distance circuit • eg >120 KB bandwidthrequired for 2048-bit Hamming distance • WhenusingYao’sprotocol, sender’s inputs to the OT’s are independent of the actual inputs X and Y • Ideas: • Getrid of garbled circuits • Adapt the inputs of the OT’ssuchthat • they are linked to the sender’s bit-string • the output of the ith OT islinked to xi⨁yi • Input of the server: (ri + xi, ri+(1-xi)) • Input of the client: yi • Output of the client: ri + xi⨁yi Alain Patey / 01/04/2013 / WAHC'13
Protocol Server: X = (x1,…,xn) Client: Y = (y1,…,yn) Select randomr1,…,rn For i=1,…,n: OT12 Input: (ri+xi, ri+(xi⨁1)) Input: yi Output: ∅ Output: ti =ri+(xi⨁yi) Oblivious Transfer Compute R=Σ ri ComputeT=Σti (=R+HD(X,Y)) R 1st option Output T-R = HD(X,Y) T 2nd option Output T-R = HD(X,Y) Alain Patey / 01/04/2013 / WAHC'13
Remarks • Overallcost: n OT’s • Privacyensured in the semi-honest model • Extension to severaldH(X,Yj) at the same time • Biometric 1 vs N - identification • Applicable to anyfunction of the form: • F(X,Y) = ∑λifi(xi,yi) • F(X,Y) = ∏f(xi,yi) Alain Patey / 01/04/2013 / WAHC'13
Comparison to previous solutions HE Yao SHADE Afterpreprocessing, includingoptimizations Alain Patey / 01/04/2013 / WAHC'13
Computation time • Comparison to Yao’sprotocol • For 900 bits: • HE: ~310 ms • Yao: ~20 ms • SHADE: ~8 ms Alain Patey / 01/04/2013 / WAHC'13
SHADE The fully-securescheme (securityagainstmaliciousadversaries) Alain Patey / 01/04/2013 / WAHC'13
CommitTedOblivioustransfer Sender Receiver Inputs: - strings X0 and X1 - random values r0,r1 Inputs: - bit b - random value r Common Inputs: Com(X0,r0); Com(X1,r1); Com(b,r) Output: - Xb - random value u Output: ∅ Common Output: Com(Xb,u) Kiraz, M.S., Schoenmakers, B., Villegas, J.: Efficient committedoblivioustransferof bit strings. In: ISC. (2007) Alain Patey / 01/04/2013 / WAHC'13
Homomorphiccommitment • Additivelyhomomorphiccommitment: • Com(x1, r1) . Com(x2,r2) = Com(x1+x2, r1+r2) • Zero-knowledgeproofs: • Proof thata commitment c commits to either x1 or x2 • Here: proof thatcommitted value is a bit (0 or 1) • Proof thattwocommitted values differ by 1 • InstantiationusingPaillier or ElGamalcryptosystem Alain Patey / 01/04/2013 / WAHC'13
Fullysecurescheme – 1ststep: Commitment and proofs of consistency Server: X = (x1,…,xn) Client: Y = (y1,…,yn) • Pickrandom values χ1,…,χn • Compute and publish Com(yi,χi), i=1…n • Provethatcommitted values are bits • Pickrandom values α1,…,αn,β1,…,βn,r1,…,rn • Compute and publish, for i=1…n • Ai=Com(ri+xi, αi) • Bi=Com(ri + (1-xi),βi) • Provethatcommitted values differ by 1 • Server: - xi • ri ; ai=ri+xi ; bi = ri + (1-xi) • αi ; βi Client: - yi - χi • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Com(yi,χi) Alain Patey / 01/04/2013 / WAHC'13
Fullysecurescheme – 2ndstep: CommittedOblivioustransfers • Server: - xi • ri ; ai=ri+xi ; bi = ri + (1-xi) • αi ; βi Client: - yi - χi • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Com(yi,χi) n Committedoblivioustransfers Output: - ti = ri + (xi⨁yi) - random values 𝜏i Common Output: Ci=Com(ti, 𝜏i) Alain Patey / 01/04/2013 / WAHC'13
Fullysecurescheme – 3rdstep: Hamming Distance Computation (1st option) Server: - ri ; ai=ri+xi ; bi = ri + (1-xi) - αi ; βi • Client: • ti= ri + (xi⨁yi) • 𝜏i • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Ci=Com(ti, 𝜏i) Compute R = r1 + …+rn ComputeT = t1 + …+tn Compute K = A1…AnB1…Bn Compute K = Com(2R+n, ∑(αi + βi)) R + proof that K commits to 2R+n Check the proof Samemechanisms for 2nd option Output T-R=dH(X,Y) Alain Patey / 01/04/2013 / WAHC'13
Conclusion • Most efficient secureHamming distance computation in the semi-honest model • Applicable to anylinearcombination of bit-wiseindependentfunctions • Non-reusable • likegarbled circuits • unlikehomomorphicencryption • Adaptation to the malicious model • Using additive homomorphicencryption and zero-knowledge • Applications to secure image/signal processing • In particular, biometric identification Alain Patey / 01/04/2013 / WAHC'13
Thankyou for your attention Questions ? Alain Patey / 01/04/2013 / WAHC'13