1 / 19

Privacy-Preserving Computation

Privacy-Preserving Computation. 2006. 12. 22 서울대학교 ISaC 연구센터 서재홍 , 윤효진*. Contents. Introduction Preliminaries Analysis of KS05 Kissner and Song’s Privacy-Preserving Operation Analysis of polynomial representation of element reduction in KS05

jeremy-boyle
Télécharger la présentation

Privacy-Preserving Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-Preserving Computation 2006. 12. 22 서울대학교 ISaC 연구센터 서재홍, 윤효진*

  2. Contents • Introduction • Preliminaries • Analysis of KS05 • Kissner and Song’s Privacy-Preserving Operation • Analysis of polynomial representation of element reduction in KS05 • Analysis of Over-Threshold Set-Union protocol in KS05 • A Correct Privacy-Preserving Element Reduction

  3. Introduction • Privacy-preserving set operation without TTP • Set-Union, Set-Intersection and Element Reduction of multiset, … • Element reduction of multiset S by d, Rdd(S), : is composed of elements of S such that for every element ‘a’ that appears d' times in S, ‘a’ is included in max{0, d'-d} times in Rdd(S). • Example • A distributed network monitoring service

  4. A distributed network monitoring threshold number = 1,000 1230 3900 103 306 1709 305

  5. A distributed network monitoring threshold number = 1,000 4260 1320

  6. Preliminary • Requirements • Additively homomorphic public key cryptosystem • EPK(a+b)=EPK(a) +h EPK(b) • EPK(c∙a)=c ⅹh EPK(a), where c is a constant • Re-randomization • Secure (n,n)-threshold decryption ⇒Paillier Encryption Scheme

  7. Preliminary • Element reduction of multiset S by d, Rdd(S), : is composed of elements of S such that for every element ‘a’ that appears d' times in S, ‘a’ is included in max{0, d'-d} times in Rdd(S). • Polynomial Representation of Multiset • Let a ring R be a domain of E and P a subset of the ring R, where the elements in P are uniformly distributed in R and the probability that randomly chosen element of R is an element in P is negligible. , where f∈R[x] and Sj∈P. • Encryption of a polynomial f(x)=∑0≤i≤deg(f) f[i]xi : E(f(x)) = (E(f[0]), …, E(f[deg(f)]))

  8. Preliminary • Feasible homomorphic operations of E • For given E(f) and E(g), • For given E(f) and a polynomial g, • For given E(f), • Given E(f) and a constant c,

  9. Analysis of KS05

  10. Privacy-Preserving Operation (KS05) • Kissner-Song (CRYPTO 2005) • Polynomial representation of • For f and g corresponding to multisets S and T, • Union: • Intersection: • (Incorrect) Element reduction by d:

  11. The Justification of Rdd(S)↔gcd(f, f (d)) • Lemma 2 [KS05].Let R be a ring, f(x)∈R[x]. • If (x-a)d+1|f(x), then (x-a)|f(d)(x) • If (x-a) | f(x) and (x-a)d+1 | f(x) then (x-a) | f(d)(x)

  12. Counter Example of the Lemma 2 • Lemma 2 [KS05].Let R be a ring, f(x)∈R[x]. • If (x-a)d+1|f(x), then (x-a)|f(d)(x) • If (x-a) | f(x) and (x-a)d+1 | f(x) then (x-a) | f(d)(x) • Counter example Let f(x)=(x-a)(x-b)(x-c) where a, b and c∈P. If the Lemma 2 is correct, then (x-a) | f(x) and (x-a)3 | f(x)⇒(x-a) | f(2)(x). But f(2)(x)=6x-2(a+b+c) thus (x-a) | f(2)(x), when c=2a-b

  13. An Error of the Rdd(S)↔gcd(f, f (d)) • As the previous counter example, • for the multiset S = {a, b, 2a-b}, Rd2(S) = { }, but gcd(f, f (2))=(x-a) • Thus the polynomial representation of element reduction proposed in KS05 is wrong.

  14. Over-Threshold Set-Union Protocol • Goal of the protocol • All players know elements in the union of the each players’ private multisets that appears more than a threshold number ‘d’ times, and the frequency of these elements in the union without gaining any other information. • We call the elements of resulting set as over-threshold elements in the union of private sets of all players. • An example • A distributed network monitoring service

  15. Critical Errors of the protocol Over-Threshold Set-Union protocol of KS05 • The significance of the analysis • In the distributed network monitoring system with a privacy policy that says ‘the monitoring system identify only the users with anomalous behavior over threshold 3’, Then the user ‘a’ will be identified in the monitoring system, but it appears only once and should not be identified in the monitoring system. Input Over-Threshold • each private multiset • threshold number ‘3’ Output Uion {a} Assume the union of each private multiset is S={a,b,2a-b}.

  16. A Correct Privacy-Preserving Element Reduction

  17. A Correct Polynomial Representation • Lemma. (x-a)d+1| f(x)⇔(x-a)| f(x), (x-a)| f'(x),∙∙∙, (x-a)| f(d)(x) • Corollary.(x-a)d+1| f(x)⇒ (x-a)d| f'(x) • Theorem Let a polynomial f be a polynomial representaion of a multiset S. For a∈S and positive integer t, (x-a)t| gcd(f, f',∙∙∙,f(d)), (x-a)t | gcd(f, f',∙∙∙,f(d)) ⇔a appears t times in Rdd(S). That is,

  18. Over-Threshold Set-Operation Protocol • Set-Operation • Element-Reduction : Each player i=1, ∙∙∙ ,c+1 • computes Epk(p'), ∙∙∙ ,Epk(p(d)) from Epk(p). • chooses randomly d+1 polynomials ti,0 ,∙∙∙ ,ti,d∈Rk[x]. • send Epk(p*ti,0+F1*p'*ti,1+∙∙∙ +F1*p(d)*ti,d) to all other player. • Group-Decryption • Recovering-Set

  19. Thank you!

More Related