1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography March 2002.
Chapter 8 Payment Systems: Getting the Money
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
0 - 0.
Cryptography encryption authentication digital signatures
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Public Key Cryptosystem
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes.
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
Addition 1’s to 20.
Test B, 100 Subtraction Facts
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Off-the-Record Communication, or, Why Not To Use PGP
Secure Computation of Linear Algebraic Functions
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
1 Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold.
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by:
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Slide 1 Justin Brickell Donald E. Porter Vitaly Shmatikov Emmett Witchel The University of Texas at Austin Secure Remote Diagnostics.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Cryptography, Authentication and Digital Signatures
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Security Chapter 8.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
多媒體網路安全實驗室 Private Information Retrieval Scheme Combined with E- Payment in Querying Valuable Information Date: Reporter: Chien-Wen Huang 出處:
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
Verifiable Oblivious Storage
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
MPC Scenario 1. “Privacy-protected contingency tables”
Oblivious Transfer.
Presentation transcript:

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS

2 So, is there Hope for Privacy? No! Privacy is doomed! Enjoy your sandwiches … : Is this what we invited you for? On second thought, the digital world gives new hope for privacy! – Selling digital goods (w/ Bill Aiello and Yuval Ishai) – Keyword database search (w/ Mike Freedman, Yuval Ishai, and Benny Pinkas)

3 Day to Day Breaches of Privacy When/how can it be better?

4 Anonymity? Alice Bob And Betty, when you call me, you can call me Al! I can call you Betty, Call me Al Not in this Talk!

5 Selling Digital Goods How good are digital goods? – Entertainment: TV, music, video, books, software – Business: news, stock quotes, patents, layoff rumors – Research: papers, research databases, clip-art Whats special about digital goods? – Typically of unlimited supply (easy to duplicate). – Easy to communicate and manipulate Main goal: protect the privacy of clients – What – When – How much – (But not who)

6 Example Vendor Buyer, Key of Encrypted Individually

7 Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: – Input: Vendor:x 1,x 2,…,x n Buyer: 1 j n – Output: Vendor: nothing Buyer: x j – Privacy: Vendor:learns nothing about j Buyer:learns nothing about x i for i j 4 – Not necessarily two messages – Related notions: Private Information Retrievable [CGKS] / Symmetrically- Private Information Retrievable [GIKM] X1X1 … X2X2 X3X3 X4X4 XnXn XjXj j

8 Priced OT [AIR] Vendor Buyer Initial payment $ b 0 Set b=b 0 Vendor Buyer Prices: p 1, p 2, … p n Items: k 1, k 2, … k n i kiki b b - p i k0,k0, p 0 =0,

9 Comparison with E-cash [Cha85,CFN88,...] E-cash Priced OT Payment digital any Goods any digital Hides who what + Access to goods anonymous any Buyer Vendor

10 General Perspective Priced OT is an instance of secure two-party computation. Theoretical plausibility result are known [Yao,GMW]. However: General solutions are costly (computation, bandwidth, rounds). A major endeavor in cryptography: Identifying interesting specific problems and suggesting more efficient solutions.

11 Tool: Homomorphic Encryption Plaintexts from (G,+) E(a),E(b) E(a+b) E(a),c E(c·a) |G| large prime Can use either additive G=Z P or multiplicative G Z * P In particular, can use El-Gamal.

12 Conditional Disclosure of Secrets [GIKM,AIR] Buyer Honest Buyer: V(q) = True How to protect against a malicious Buyer? – Method 1: Buyer proves in ZK that V(q) = True; – Method 2: Vendor disclose a subject to the condition V(q) = True. Notation: CDS( a ; V(q) ) E(q),pk E(a) Vendor (sk,pk) E(CDS( a ; V(q) )) a

13 Conditional Disclosure of Secrets - Implementation Buyer a,q,i G CDS(a ; q=i) : a+r(q-i) r R {1,…,|G|} E is homomorphic - E(CDS( a ; V(q) )) can be computed from E(q) Information-theoretic security for Vendor (hides a). Need to verify validity of pk; Easy for El-Gamal! E(q),pk (sk,pk) E(CDS( a ; V(q) )) Vendor a

14 Application: 1-Round OT * [AIR,NP] (sk,pk) E(q),pk Vendor Buyer x1x1 x2x2 xnxn q E(CDS(x 1 ; q =1)), …, E(CDS(x n ; q =n)) * Weakened / incomparable notion of security vs. simulation: Vendors security: purely information-theoretic Buyers security: privacy only.

15 Database Search OT/PIR/SPIR allow to privately retrieve the i th entry of a database. Efficiency depends linearly (at least) on the size of the database. Sometime this is not enough. For example, consider a list of fraudulent card numbers. A merchant wants to check if a particular number is in the least. Use OT/PIR? – Table of entries, 1 if fraudulent, 0 otherwise? Works on supporting more general database search.

16 Keyword Search (KS): definition Input: – Server: database X={ (x i,p i ) }, 1 i N x i is a keyword (e.g. number of a corrupt card) p i is the payload (e.g. why card is corrupt) – Client: search word w (e.g. credit card number) Output: – Server: nothing – Client: p i if i : x i = w otherwise nothing Client output: (x j,p j ) iff w=x j …(x 1,p 1 )(x n,p n )(x 2,p 2 ) Server: Client: w

17 Conclusions Our expectation of privacy in the digital world should not be bounded to our physical world experiences. The ability to duplicate, manipulate and communicate digital information is key. Very powerful cryptographic tool in the form of secure function evaluation. Research on efficient instantiations, possibly with some security relaxations.