1 / 47

Cryptography

Cryptography. Lecture 1 2 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Plan. Introduction to multiparty cryptographic protocols. Private Information Retrieval. Traditional scenario. Alice and Bob are attacked by an adversary. Multiparty protocols.

winter-myers
Télécharger la présentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 12Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net

  2. Plan • Introduction to multiparty cryptographic protocols. • Private Information Retrieval

  3. Traditional scenario Alice and Bob are attacked by an adversary.

  4. Multiparty protocols A group of players wants to perform some task together even though they do not trust each other

  5. This is a vast area Examples: • voting • coin-tossing • auctions • .... Today’s lecture: • Private Information Retrieval

  6. AOL search data scandal (2006) #4417749: • clothes for age 60 • 60 single men • best retirement city • jarrett arnold • jack t. arnold • jaylene and jarrett arnold • gwinnett county yellow pages • rescue of older dogs • movies for dogs • sinus infection Thelma Arnold 62-year-old widow Lilburn, Georgia

  7. Observation The owners of databases know a lot about the users! This poses a risk to users’ privacy. E.g. consider database with stock prices… Can we do something about it? Yes, we can: • trust them that they will protect our secrecy, or • use cryptography! problematic problematic!

  8. How can crypto help? Note: this problem has nothing to do with secure communication! database D user U

  9. Our settings secure link database D user U A new primitive: Private Information Retrieval (PIR)

  10. Plan • Definition of PIR • An ideal PIR doesn’t exist • Construction of a computational PIR • Open problems • Literature: • B. Chor, E. Kushilevitz, O. Goldreich and M. Sudan,Private Information Retrieval, Journal of ACM, 1998 • E. Kushilevitz and R. Ostrovsky • Replication Is NOT Needed: SINGLE Database, • Computationally-Private Information Retrieval, FOCS 1997

  11. Question How to protect privacy of queries? database D user U wants to retrieve some data from D shouldn’t learn what U retrieved

  12. Let’s make things simple! ? databaseB: index i = 1,…,w the user should learn Bi each Bi є {0,1} (he may also learn otherBi’s)

  13. Trivial solution The database simply sends everything to the user!

  14. Non-triviality The previous solution has a drawback: the communication complexity is huge! Therefore we introduce the following requirement: “Non-triviality”: the number of bits communicated betweenUand D has to be smaller than w.

  15. correctness secrecy (of the user) non-triviality Private Information Retrieval (PIR) polynomial time randomized interactive algorithms This property needs to be defined more formally! input: input: index i = 1,…,w • at the end the user learns Bi • the database does not learn i • the total communication is < w • Note: secrecy of the database is not required

  16. query Q(i) reply A(Q(i),B) How to define secrecy of the user [1/2]? Def. T(i,B)– transcript of the conversation. i B

  17. How to define secrecy of the user [2/2]? Secrecy of the user: for every i,j є {0,1} ? single-round case: it is impossible to distinguish between Q(i) and Q(j) multi-round case: it is impossible to distinguish between T(i,B) and T(j,B) even if the adversary is malicious • What does it mean? • For now say: • the distribution of Q(i) and Q(j) is the same

  18. PIR doesn’t exists [1/4] We now show that correctness, non-triviality and secrecycannot be satisfied simultaneously. Def: A transcript Tis possiblefor (i,B) if P(T(i,B) = T) > 0 Take some T’,and look where it is possible: databases B indices i

  19. PIR doesn’t exists [2/4] Observation: secrecy→if T’ is possible for someB and i then it is possible forB and all the other i’s databases B indices i

  20. PIR doesn’t exists [3/4] non-triviality→ length(transcript) < length(database) ↓ # transcripts < #databases ↓ there has to exist T’ that is possible for two databases B0 and B1 ← B0 databases B ←B1 indices i

  21. PIR doesn’t exists [4/4] B0 and B1 differ on at least one index i’ So, if i’ is the input of the user then correctness → contradiction i’ ↓ ← B0 databases B ←B1 indices i

  22. So PIR doesn’t exist! • How to bypass the impossibility result? • Two ideas: • limit the computing power of a cheating database • use a larger number of “independent” databases

  23. Computationally-secure PIR secrecy: computational-secrecy: ? For every i,j є {0,1} it is impossible to distinguish efficiently between T(i,B) and T(j,B) Formally: for every polynomial-time probabilistic algorithm A the value: |P(A(T(i,B)) = 0) – P(A(T(j,B))=0)| should be negligible.

  24. Hardness assumptions? [KO97] – construct PIR based on the Quadratic Residuosity Assumption We describe it on the next slides.

  25. Favourite cryptographers’ group p,q – large random primes (|p|=|q|=21024,say) RSA group: Zn*,where n=pq

  26. Chinese remainder theorem Chinese remainder theorem (CRT): For n = pq (where p and q are prime) a function λ: Z*n → Z*p × Z*q defined as λ(i) := (i mod p, i mod q) is an isomorphism.

  27. Example λ(i) := (i mod p, i mod q) Z5* Z15 0 1 2 3 4 0 6 12 3 9 Z3* 10 1 7 13 4 Z15* 5 11 2 8 14

  28. Quadratic Residues Def. x isquadratic residue modulomifthere exists a є Zm* such that x = a2 mod m QR(m) := the set of all quadratic residues modulo m. QNR(m) := Zm* \ QR(n) Z13*: a a2: QR(13): Observation: every quadratic residue modulo 13 has exactly2 square roots, and hence |QR(13)| = |Z13*| / 2.

  29. A Lemma about QRs modulo prime p Lemma: For every prime p we have QR(p) = (p-1)/2 Remark: Letgbe a generator ofZp*. ThenQR(p) = {g0,g2,g4,g6,...,gp-3}. QNR(p) = {g1,g3,g5,g7,...,gp-2}.

  30. QRs modulo pq Z15*: a a2 QR(15): Observation: every quadratic residue modulo 15 has exactly4 square roots, and hence |QR(15)| = |Z15*| / 4.

  31. A Lemma about QRs modulo pq Fact: For n=pq we have |QR(n)| = |Zn*| / 4. Proof: x є QR(n) iff x = a2 mod n, for some a iff (by CRT) x = a2 mod p and x = a2 mod q iff x mod p є QR(p) and x mod q є QR(q) mod p Zn*: QR(p) QR(q) QR(n) mod q

  32. QRs modulo pq – an example 22 mod 5 32 mod 5 12 mod 5 42 mod 5 QR(5) Z15: 0 1 2 3 4 0 6 12 3 9 QR(3) 10 1 7 13 4 5 11 2 8 14 12 mod 3 22 mod 3 QR(5) Z15*

  33. Homomorphism of QR(pq) Q(n,a) = Homomorphism: for all a,bє Zn* Q(n,ab) = Q(n,a) xor Q(n,b) (exercise) 1 if a є QR(n) 0 otherwise

  34. Algorithmic questions about QR • Suppose n=pq • Is it easy to test membership in QR(n)? • Fact: if one knows p and q – yes! • What if one doesn’t know p and q?

  35. Quadratic Residuosity Assumption (QRA) n=pq, where p and q are large primes Note: Zn+is a group! ? a є Zn+ ↓ Zn*: QR(p) QNR(p) • Zn+: • all aє Zn*: such that • a mod p є QR(p) • iff • a mod qє QR(q) QR(q) QR(n) QNR(q) Quadratic Residuosity Assumption (QRA): For a random aєZn+ it is computationally hard to determine if a є QR(n). Formally: for every polynomial-time probabilistic algorithm G the value: |P(G(a) = Q(a)) – 0.5| (where ais random) is negligible.

  36. We are ready to construct PIR! Our PIR will work in the group Zn+, where n=pq. What’s so good about this group?: • testing membership in Zn+ is easy, • testing membership in QR(n) is hard for random elements on Zn+, unless one knowspandq. • homomorphism of Q!

  37. for every j = 1,...,wthe database sets Yj = { Xj2 ifBj = 0 Xjotherwise M First (wrong) idea i i ↓ Yi is a QR iffBi=0 M is a QR iffBi=0 the user checks if M is a QR SetM = Y1· Y2 · ... · Yw

  38. PIR from the previous slide: correctness√ security? To learn i the database would need to distinguish NQR from QR. √ Problems! • non-triviality? doesn’t hold! communication: user → database: |B|· |Z*n| database→ user: |Z*n| Call it: (|B|, 1) - PIR

  39. How to fix it? consider each row as a separate database Idea:Given: construct Suppose that |B|= v2 and present Bas a v×v-matrix:

  40. execute v (v,1)- PIRsin parallel An improved idea v Looks even worse: communication: user → database: v2· |Z*n| database→ user: v·|Z*n| v The method Let j be the column where Biis. In every “row” the user asks for the jth element So, instead of sending v queries the user can send one! Observe: in this way the user learns all the elements in the jth column! j ↓ Bi

  41. for every j = 1,...,vset Yj = { Xj2 ifBj = 0 Xjotherwise Putting things together jth column i kth row here the same row is copied v times: only thiscounts multiply elements in each row Bj=0 iff Mkis QR

  42. So we are done! PIR from the previous slide: • correctness√ • non-triviality:communication complexity = 2√|B|· |Zn| √ • security? The to learn i the database would need to distinguish NQR from QR. Formally: fromany adversary that breaks our schemewe can constructan algorithm that breaks QRA simulates:

  43. (X1,…,Xv) (M1,…,Mv) Improvements database D user U the user is interested just in oneMi. Idea: apply PIR recursively!

  44. Complexity of PIRs – overview of the results their conclusion: It is the time-complexity that matters. In real-life: it is still more practical to transmit the entire database. Communication: • “recursive” PIR of [KO97]: for every c: O(|B|c) • [Cachin, Micali, Stadler, 1999]: poly-logarithmic in |B| • [Lipmaa, 2005]: O(log2|B|) For practical analysis see: • [Sion, Carbunar] On the Computational Practicality of Private Information Retrieval.

  45. Extensions • Symmetric PIR (also protect privacy of the database). [Gertner, Ishai, Kushilevitz, Malkin. 1998] • Searching by key-words [Chor, Gilboa, Naor, 1997] • Public-key encryption with key-word search [Boneh, Di Crescenzo, Ostrovsky, Persiano]

  46. Open problems: • Improve efficiency. • Construct new extensions. What was the key property that we used? homomorphism of QR Holy grail: fully-homomorphic encryption

  47. Fully-homomorphic encryption Observe that we constructed a 1-bit probabilistic public-key encryption scheme: { Enc(X) = Which has the following homomorphic with respect to xor: Enc(X xor Y) = Enc(X) • Enc(Y) It would be really useful to have an encryption scheme homomorphic with respect to: conjunction and negationsimultaneously.

More Related