Computational Privacy

Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting: –Adversary and simulator are bounded to probabilistic polynomial time. –REAL and IDEAL should only be computationally indistinguishable.  relaxes information-theoretic privacy (bounded simulator variant) Main theorem: Every functionality can be computed with computational n-privacy (under standard cryptographic assumptions). –Enough to show computationally n-private protocol for MS ADD, where ADD is additive secret-sharing over GF(2). Theorem holds also with insecure channels.

Security Parameter In a computational setting, all participants receive a security parameter k. –Players, adversary, and simulator run in time poly(k); –Security is defined with respect to k: informally, any environment running in time poly(k) cannot distinguish between REAL and IDEAL, except with an advantage which vanishes super-polynomially in k. Convention: make k implicit in input length –Input domain X will include all n-tuples of strings with equal lengths. –Security parameter: k = |x i | –Every (partial) functionality f:({0,1} * ) n →{0,1} can be augmented into a (partial) functionality f ’ defined over X via input padding. –To effectively achieve security level k, players can pad their inputs to length k (if needed). –Note: must assume an upper bound on input length is made public. Alternative convention: players and adversaries receive k as an additional input; all algorithms are efficient in k.

Distribution Ensembles Given an infinite index set X, we let {D(x)} x  X denote a distribution ensemble: a family of distributions over {0,1} * indexed by X. –Sometimes use D(x) or simply D when X is understood from the context Typical choices of X: –X = N (natural numbers) –X = n-tuples of strings of equal length (input vectors) With each index x  X associate a length |x| –if x  N let |x| =x –if x is an n-tuple of k-bit strings, let |x| =kn –D(x) is typically distributed over {0,1} p(|x|), for some polynomial p.

Notions of Closeness Def. A function  : N→[0,1] is negligible if, for every const. c>0,  (k)=o(1/k c ). –Equivalently: for every c>0 there is k 0 s.t. for every k> k 0,  (k)<1/k c. –Note: neg * poly = neg Def. Let D(x), D’(x) be distribution ensembles. We say that D,D’ are: –perfectly indistinguishable (denoted D  D’) if D(x)  D’(x) for every x; –statistically indistinguishable (denoted D  s D’) if for every function (distinguisher) Z there is a negligible function  (k) such that for every x | Pr[Z(D(x))=1] - Pr[Z(D’(x))=1] | <  (|x|) –computationally indistinguishable (denoted D  c D’) if for every efficient distinguisher Z and poly-size advice sequence (a k ) k  N, there is a negligible function  (k) such that for every x: | Pr[Z(D(x), a |x| )=1] - Pr[Z(D’(x), a |x| )=1] | <  (|x|) Advice makes distinguisher nonuniform: stronger than randomized. Equivalent to distinguishing using poly-size circuits.

Security Definition Revisited We say that the protocol  securely computes the functionality f (w.r.t. a given class of adversaries) if for every adversary A there is a simulator S such that: –REAL ,A (x)  IDEAL f,S (x)  perfect security (time(S)  poly(time(A)) –REAL ,A (x)  s IDEAL f,S (x)  stat. security (time(S)  poly(time(A)) –REAL ,A (x)  c IDEAL f,S (x)  comp. security (time(A),time(S)  poly(|x|)

Main Theorem Thm. Every efficiently computable functionality f admits a computationally n-private protocol. Proof outline: –Define a simple 2-party OT functionality and realize it by a computationally private protocol. –Obtain a perfect n-private reduction from MS ADD to OT. –Using a computational variant of the composition theorem, obtain a computationally n-private protocol for MS ADD. –Use the circuit-based protocol we’ve seen for reducing f to MS ADD. f restricted to inputs of length k can be computed by an arithmetic circuit C of size poly(k) over F=GF(2). –Use the composition theorem once again to obtain a computationally n-private protocol for f.

Composition Theorem Computationally private reduction from f to g –Inputs of oracle calls to g are as long as original inputs –Allow g to have less than n arguments High-level protocol  f|g specifies which player is assigned to each input of g. Can be emulated via a “universal” functionality. Thm. Let  f|g be a computationally  -private reduction from f to g and  g a computationally  -private protocol for g. Then the protocol  f obtained from  f|g by substituting each call to g with a call to  g is a computationally  -private protocol for f.

Composition (contd.) Fact: computational indistinguishability is robust under multiple samples. –If D  c D then for every efficient oracle algorithm Z and poly-size advice sequence (a k ) k  N, there is a negligible function  (k) such that for every k: | Pr[Z D (a k )=1] - Pr[Z D’ (a k )=1] | <  (k) Proof via a hybrid argument. REAL  f|g gg IDEAL S f|g SgSg  f|g SgSg  c  c o/w S g can be used to distinguish  f|g from S f|g o/w  f|g can be used to distinguish  g from S g

Oblivious Transfer Def. Oblivious Transfer is a (computationally, 1-)private protocol for the following 2-party functionality: OT ((d 0,d 1 ), s) = ( , d s ) –Player P 1 will be called the Sender and P 2 the Receiver. –By default d 0,d 1,s are bits may be generalized to longer strings or multiple selections. –In the literature, OT often requires security against active adversaries. OT can be privately reduced to the following simpler functionality: Naïve-OT (d, s) = ( , d  s ) –To implement OT, call Naïve-OT on inputs (d 1, s) and (d 0, 1-s).

Public-Key Encryption Def. A public-key encryption scheme is a triplet of efficient probabilistic algorithms (G,E,D) such that: –G(1 k ) outputs a pair of keys (pk,sk). –Correctness: for b=0,1, if E(pk,b) outputs c then D(sk,c) outputs b. –Secrecy: E 0 (k)  c E 1 (k), where E b (k) is the distribution of (pk,E(pk,b)) where pk is taken from G(1 k ). Generalizations: –Larger message domain (e.g., strings of length k). –Allow negligible error probability

Example: Goldwasser-Micali PKE G picks a pair of random k-bit primes p,q, and lets N=pq, pk=N, and sk=p. Encryption: –E(pk,b) outputs c=r 2 v b where r  R Z * N and v is non-square modulo both p,q. Decryption: –D(pk,c) uses factorization of N to find whether c is a square modulo N. Security holds under the Quadratic Residuosity Assumption.

Randomizable PKE Def. A public-key encryption scheme (G,E,D) is randomizable if there is an efficient randomization algorithm R such that given any ciphertext c  E(pk,b), R(pk,c) outputs a random c’ distributed according to E(pk,b). GM scheme is randomizable: multiply c by r 2 where r  R Z * N.

OT from Randomizable PKE Enough to implement Naïve-OT (d, s) = ( , d  s ) Protocol: –Receiver lets (pk,sk)  G(1 k ) and c  E(pk,s), and sends (pk,c) to Sender. –If d=1 sender lets c’  R(pk,c) and sends c’ to Receiver; If d=0 it sends c’  E(pk,0). –Receiver outputs D(pk,c’). Simulators: –Sender: let (pk,sk)  G(1 k ) and c  E(pk,0), and output (pk,c) along with local randomness. –Receiver with output b: let (pk,sk)  G(1 k ) and output E(pk,b) along with local randomness.

More on OT OT can also be based on trapdoor permutations (e.g., RSA). Open question: Does PKE imply OT? There is no black-box reduction from OT to PKE.

Reducing MS ADD to OT Recall: MS ADD maps (a 1,…,a n ), (b 1,…,b n ) to (c 1,…,c n ) where the outputs c i are random subject to  c i = (  a i )·(  b i ) and all arithmetic is in GF(2). Write  c i =  i,j a i b j –Problem would be easy if each a i b j were known to some player. Idea: use OT to additively share a i b j between P i,P j –Even by corrupting both P i,P j, adv. learns nothing new. Implementation: P i acts as Sender and P j as Receiver –P i picks a random bit c i,j, which will serve as its share of a i b j –Players call OT((d 0,d 1 ), s) where d b =a i b+ c i,j and s=b j –May be viewed as a private reduction of the following func. to OT: SP(a,b)=(c 1,c 2 ) where the outputs are random subject to c 1 +c 2 = ab.

Reducing MS ADD to OT (contd.) Given that all a i b j are additively shared, we could use a 1-round n-private protocol to compute an additive sharing of their sum. –Additional interaction is not needed. Protocol: –For each (i,j) s.t. i  j, players P i,P j call SP(a i,b j ) emulated via a single call to OT as in previous slide Let (c ij i,c ij j ) denote the outputs of this call. –Each P i outputs c i = a i b i +  j  i c ij i +  j  i c ji i Simulator on inputs (a T,b T ), c T : –For each (i,j) s.t. i,j  T pick (c ij i,c ij j ) at random subject to c ij i +c ij j = a i b j –The values c ij i and c ji i such that i  T, j  T are picked uniformly at random subject to the constraint that they are consistent with c T. May be done by picking all at random except c ij i for some j 0  [n]\T, and determining the |T| remaining values according to the sum constraints. 0