Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAE: A Collusion Attack against Privacy-preserving Data Aggregation Schemes Wei Yang University of Science and Technology of China (USTC) Contact Me.

Published byDiana Stachinski Antunes Modified over 5 years ago

Similar presentations

Presentation on theme: "CAE: A Collusion Attack against Privacy-preserving Data Aggregation Schemes Wei Yang University of Science and Technology of China (USTC) Contact Me."— Presentation transcript:

1 CAE: A Collusion Attack against Privacy-preserving Data Aggregation Schemes Wei Yang University of Science and Technology of China (USTC) Contact Me

2 Privacy-preserving Data Aggregation Schemes
Nowadays, more and more data are generated and accumulated, both from the physical world and from the interactivities between humans. Performing efficient data aggregation while keeping the property of privacy preservation of user-related data is of high concern. Extensive research has been conducted to address this problem in multiple areas. As a fact, the security of a number of privacy-preserving protocols are threatened by collusion between participants. Therefore, security analysis plays a fundamental role in privacy-preserving data aggregation protocols. 2 of 10

3 Hamburger Attack Model
Question: Under what condition can a collusion attack be applied to a privacy-preserving data aggregation protocol? In a previous work of ours, we investigated the degree to which collusion attacks violate privacy under different aggregation protocols. We proposed a new attack model named Hamburger Attack, which involves two participants, top bread and bottom bread. The Hamburger Attack not only breaks the famous data aggregation scheme CPDA, but also breaks some new schemes which are claimed to be of collusion attack resistance. However, the mechanism of the Hamburger Attack is vague. There is no formalized model nor rigorous descriptions about the conditions under which the attack will be successful. Also, it is not clear if the Hamburger Attack can work on other data aggregation schemes or what kind of aggregation schemes it can work on. Here, a natural and important question arises: under what condition can a collusion attack be applied to a privacy-preserving data aggregation protocol? 3 of 10

4 CAE Model In this work, we tackle this question with the idea of emulation. More specifically, we construct a Collusion Attack Emulator, namely, CAE, for privacy preserving data aggregation schemes. With this new tool, we can check data aggregation protocols and make sure that whether collusion attack can be applied to these privacy preserving aggregation protocols. In addition, if some protocols are identified to be insecure, namely they did not pass the CAE security check, we can design collusion attack strategy pertinent to the CAE procedure more easily. 4 of 10

5 Key definition 1: Check Points
Two key definitions are very helpful in our CAE model. The first is check points. 5 of 10

6 Key definition 2: Procedure Distinguishability
The second key definitions is Procedure Distinguishability. By the above definition, if two outputs of a protocol cannot be distinguished by any computer procedure, they are said to be Procedure Indistinguishable. For example, we have two probability ensembles {Xn} = r and {Yn} = 10r, where r is distributed uniformly and randomly in real number field. Given that Alice outputs a sequence of values using one of {Xn} and {Yn} as the resource, and Bob outputs another sequence using another probability ensemble. Then we cannot distinguish between these two sequences and thus cannot tell which probability ensemble is adopted by Alice, and vice verse. In this situation, we say that these two probability ensembles are Procedure Indistinguishable. On the other hand, if r is distributed uniformly and randomly in integer field, then it is not hard to see that {Xn} = r and {Yn} = 10r are of Procedure Distinguishability, as long as they output enough times (in probabilistic polynomial-time). 6 of 10

7 The general idea of CAE Model
Using a constant number as its input to interact with HA box Judging with whom it is interact In CAE model, an emulator Ei for a participant pi in a privacy-preserving data aggregation scheme has no knowledge about the participant’s private input. Instead, it uses a constant number, which is a value known to all participants in the scheme, as its input. Meanwhile, Ei is assumed to be aware of the whole execution procedure of the data aggregation scheme. The mission for emulator Ei is to emulate the behavior of participant pi. If two colluding participants pa and pb cannot distinguish between Ei and pi, we say that Ei perfectly conceals the private data of pi against collusion attack of pa and pb. However, if Ei cannot pass the CAE check, namely it is identified (by pa and pb) to be using the constant value as its input, then it implies that the private input of pi is vulnerable under collusion attack. 7 of 10

8 Two functions of CAE Model
Explanation Function Blind detection Function An aggregation scheme has been known to be vulnerable under collusion attack and we use CAE to explain why it is insecure. We do not know whether an aggregation protocol is secure in advance, and employ CAE to check its security and (if the protocol cannot pass the CAE test and thus to be insecure) to find its loophole. Proof function. In this work, we demonstrate two helpful functions of our CAE model. The first function is known-attack analysis. That is, the aggregation scheme has been known to be vulnerable under collusion attack and we use CAE to explain why it is insecure. The second function is blind detection, i.e., we do not know whether an aggregation protocol is secure in advance, and employ CAE to check its security and (if the protocol cannot pass the CAE test and thus to be insecure) to find its loophole. 8 of 10

9 9 of 10

10 THANK YOU! Contact Me

Download ppt "CAE: A Collusion Attack against Privacy-preserving Data Aggregation Schemes Wei Yang University of Science and Technology of China (USTC) Contact Me."

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Abstract Provable data possession (PDP) is a probabilistic proof technique for cloud service providers (CSPs) to prove the clients' data integrity without.

Abstract Provable data possession (PDP) is a probabilistic proof technique for cloud service providers (CSPs) to prove the clients' data integrity without.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:0807.2158.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.

Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
Investigation on the Library Robot “Alice” in an enterprise Lin Yuan.

Investigation on the Library Robot “Alice” in an enterprise Lin Yuan.
1 Privacy Aware Incentive Mechanism to Collect Mobile Data While Preventing Duplication Junggab Son*, Donghyun Kim*, Rasheed Hussain**, Sung-Sik Kwon*,

1 Privacy Aware Incentive Mechanism to Collect Mobile Data While Preventing Duplication Junggab Son*, Donghyun Kim*, Rasheed Hussain**, Sung-Sik Kwon*,
Security Analysis of a Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption Scheme.

Security Analysis of a Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption Scheme.
Cryptographic Protocols Secret sharing, Threshold Security

Cryptographic Protocols Secret sharing, Threshold Security
P & NP.

P & NP.
Topic 36: Zero-Knowledge Proofs

Topic 36: Zero-Knowledge Proofs

Similar presentations

Ads by Google