Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative, Privacy-Preserving Data Aggregation at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Collaborative, Privacy-Preserving Data Aggregation at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg,"— Presentation transcript:

1 Collaborative, Privacy-Preserving Data Aggregation at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg, Matthew Caesar, and Jennifer Rexford

2 Problem: Network Anomaly Detection

3 Collaborative anomaly detection Some attacks look like normal traffic – e.g., SQL-injection, application-level DoS [Srivatsa TWEB ‘08] Is it a DDoS attack or a flash crowd? [Jung WWW ‘02] Yahoo! Google Bing I’m not sure about Beasty! I’m not sure about Beasty! I’m not sure about Beasty! I’m not sure about Beasty! I’m not sure about Beasty! I’m not sure about Beasty!

4 Collaborative anomaly detection Targets (victims) could correlate attacks/attackers [Katti IMC ’05], [Allman Hotnets ‘06], [Kannan SRUTI ‘06], [Moore INFOC ‘03] Yahoo! Google Bing “Fool us once, shame on you. Fool us N times, shame on us.”

5 Problem: Network Anomaly Detection Solution: Aggregate suspect IPs from many ISPs Flag those IPs that appear > threshold τ

6 Problem: Distributed Ranking Solution: Collect domain statistics from many users Aggregate data by domain

7 Problem: … Solution: Aggregate (id, data) from many sources Analyze data grouped by id

8 But what about privacy? What inputs are submitted? Who submitted what?

9 Data Aggregation Problem Many participants, each with (key, value) observation Goal: Aggregate observations by key KeyValues k1k1 ( v a, v b ) k2k2 ( v i, v j, v k ) … knkn ( v x ) A A A

10 Data Aggregation Problem Many participants, each with (key, value) observation Goal: Aggregate observations by key KeyValues k1k1 ( v a, v b ) k2k2 ( v i, v j, v k ) … knkn ( v x ) A A A F ( ) ) ) PDA: Only release the value column CR-PDA:Plus keys whose values satisfy some func

11 Data Aggregation Problem Many participants, each with (key, value) observation Goal: Aggregate observations by key KeyValues k1k1 ( 1, 1 ) k2k2 ( 1, 1, 1 ) … knkn ( 1 ) Σ Σ Σ PDA: Only release the value column CR-PDA:Plus keys whose values satisfy some func ≥ τ ? ? ?

12 Goals Keyword privacy: No party learns anything about keys Participant privacy: No party learns who submitted what Efficiency: Scale to many participants, each with many inputs Flexibility: Support variety of computations over values Lack of coordination: – No synchrony required, individuals cannot prevent progress – All participants need not be online at same time

13 Potential solutions Approach Keyword Privacy Participant PrivacyEfficiencyFlexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection YesYesVery PoorYesNo YesYesPoorNoNo Decentralized

14 SecurityEfficiency Weaken security assumptions? – Assume honest but curious participants? – Assume no collusion among malicious participants? In large/open setting, easy to operate multiple nodes (so-called “Sybil attack”)

15 Towards Centralization? DB Participants

16 Potential solutions Approach Keyword Privacy Participant PrivacyEfficiencyFlexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection Hashing Inputs Network Anonymization YesYesVery PoorYesNo YesYesPoorNoNo NoNoVery GoodYesYes NoYesVery GoodYesYes Decentralized Centralized

17 Towards semi-centralization Participants ProxyDB Assumption: Proxy and DB do not collude

18 Potential solutions Approach Keyword Privacy Participant PrivacyEfficiencyFlexibility Lack of Coord Garbled Circuit Evaluation Multiparty Set Intersection Hashing Inputs Network Anonymization This Work YesYesVery PoorYesNo YesYesPoorNoNo NoNoVery GoodYesYes NoYesVery GoodYesYes YesYesGoodYesYes Decentralized Centralized

19 Privacy Guarantees Privacy of PDA against malicious entities and participants – Malicious participant may collude with either malicious proxy or DB, but not both – May violate correctness in almost arbitrary ways Privacy of CR-PDA against honest-but-curious entities and malicious participants

20 PDA Strawman #0 ParticipantProxyDB 1. Client sends input k k

21 PDA Strawman #1 ParticipantProxyDB 1. Client sends encrypted input k 2. Proxy batches and retransmits 3. DB decrypts input ds k# 1.1.1.11 2.2.2.29 Violates keyword privacy E DB (k)

22 ds PDA Strawman #2 ParticipantProxyDB 1. Client sends hashes of k 2. Proxy batches and retransmits 3. DB decrypts input H (k)# H(1.1.1.1) 1 H(2.2.2.2) 9 Still violates keyword privacy: IPs drawn from small domains Still violates keyword privacy: IPs drawn from small domains E DB ( H (k) )

23 PDA Strawman #3 ParticipantProxyDB 5. Proxy recovers k from E PRX (k) 1. Client sends keyed hashes of k – Keyed hash function (PRF) – Key s known only by proxy F s (k)# F s (1.1.1.1) 1 F s (2.2.2.2) 9 E DB ( F s (k) ) But how do clients learn F s (IP)) ? But how do clients learn F s (IP)) ? Secret s

24 Our Basic PDA Protocol ParticipantProxyDB 1. Client sends keyed hashes of k – F s (x) learned by client through Oblivious PRF protocol 2.Proxy batches and retransmits keyed hash 3.DB decrypts input F s (k)# F s (1.1.1.1) 1 F s (2.2.2.2) 9 E DB ( F s (k) ) OPRF E DB ( F s (k) ) F s (k) Secret s

25 F s (k)# F s (1.1.1.1) 1 F s (2.2.2.2) 9 retransmits Basic CR-PDA Protocol ParticipantProxyDB 1.Client sends keyed hashes of k, and encrypted k for recovery 2.Proxy retransmits keyed hash 3.DB decrypts input 4.Identify rows to release and transmit E PRX (k) to proxy 5.Proxy decrypts k and releases E DB ( F s (k) ) F s (k) E DB (E PRX (k)) E PRX (k) F s (k)#Enc’d k F s (1.1.1.1) 1E PRX ( 1.1.1.1 ) F s (2.2.2.2) 9E PRX ( 2.2.2.2 ) Secret s

26 retransmits Privacy Properties ParticipantProxyDB Any coalition of HBC participants HBC coalition of proxy and participants HBC database E DB ( F s (k) ) F s (k) E DB (E PRX (k)) E PRX (k) Keyword privacy: Nothing learned about unreleased keys Participant privacy: Key  Participant not learned Secret s

27 retransmits Privacy Properties ParticipantProxyDB Any coalition of HBC participants HBC coalition of proxy and participants HBC database E DB ( F s (k) ) F s (k) E DB (E PRX (k)) E PRX (k) Keyword privacy: Nothing learned about unreleased keys Participant privacy: Key  Participant not learned Secret s malicious participants HBC coalition of DB and participants

28 retransmits More Robust PDA Protocol ParticipantProxyDB Any coalition of HBC participants HBC coalition of proxy and participants HBC database E DB ( F s (k) ) F s (k) E DB (E PRX (k)) E PRX (k) Secret s malicious participants HBC coalition of DB and participants ORPF  Encrypted OPRF Protocol Ciphertext re-randomization by proxy Proof by participant that submitted k’s match

29 Encrypted-OPRF protocol Problem: in basic OPRF protocol, participant learns F s (k) Encrypted-OPRF protocol: – Client learns blinded F s (k) – Client encrypts to DB – Proxy can unblind F s (k) “under the encryption” ( ) r Enc ( )( ) r F s (k) (π s i ) k i =1 El Gamalg mod p

30 Encrypted-OPRF protocol Problem: in basic OPRF protocol, participant learns F s (k) Encrypted-OPRF protocol – Client learns blinded F s (k) – Client encrypts to DB – Proxy can unblind F s (k) “under the encryption” OPRF runs OT protocol for each bit of input k OT protocols expensive, so use batch OT protocol [Ishai et al] ( ) r Enc ( )( ) r F s (k)

31 Scalable Protocol Architecture Participants Client-Facing Proxies Share secret s Proxy Decryption Oracles Share PRX key Front-End DB Tier Share DB key Back-End DB Storage Partition F s keyspace

32 Evaluation Scalable architecture implemented – Basic CR-PDA / PDA protocol + and encrypted-OPRF protocol w/ Batch OT – ~5000 lines of threaded C++, GnuPG for crypto Testbed of 2 GHz Linux machines AlgorithmParameterValue RSA / ElGamalkey size1024 bits Oblivious Transferk80 AESkey size256 bits

33 Throughput vs. participant batch size Single CPU core for DB and proxy each

34 Maximum throughput per server Four CPU cores for DB and proxy (each)

35 Throughput scalability Number CPU cores per DB and proxy (each)

36 Summary Privacy-Preserving Data Aggregation protects: – Participants: Do not reveal who submitted what – Keywords: Only reveal values / released keys Novel composition of crypto primitives – Based on assumption that 2+ known parties don’t collude Efficient implementation of architecture – Scales linearly with computing resources – Ex: Millions of suspected IPs in hours Of independent interest… – Introduced encrypted OPRF protocol – First implementation/validation of Batch OT protocol

Download ppt "Collaborative, Privacy-Preserving Data Aggregation at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg,"

Similar presentations

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Efficient Private Techniques for Verifying Social Proximity Michael J. Freedman and Antonio Nicolosi Discussion by: A. Ziad Hatahet.

Efficient Private Techniques for Verifying Social Proximity Michael J. Freedman and Antonio Nicolosi Discussion by: A. Ziad Hatahet.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
LAAC: A Location-Aware Access Control Protocol YounSun Cho, Lichun Bao and Michael T. Goodrich IWUAC 2006.

LAAC: A Location-Aware Access Control Protocol YounSun Cho, Lichun Bao and Michael T. Goodrich IWUAC 2006.

Similar presentations

Ads by Google