feb 9, 2011 - ndss symposium...vladimir kolesnikov and thomas schneider. improved garbled circuit:...
TRANSCRIPT
![Page 1: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/1.jpg)
Efficient Privacy-Preserving Biometric Identification
Yan Huang Lior Malka David Evans Jonathan Katz
http://www.mightbeevil.org/secure-biometrics/
Feb 9, 2011
![Page 2: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/2.jpg)
Motivating Scenario: Private No-Fly Checking
![Page 3: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/3.jpg)
Threat Models
Semi-honest adversaryMust follow the protocol correctly
Malicious adversaryCan deviate arbitrarily from the protocol
In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.
![Page 4: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/4.jpg)
Threat Models
Semi-honest adversaryMust follow the protocol correctly
Malicious adversaryCan deviate arbitrarily from the protocol
In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.
![Page 5: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/5.jpg)
Filterbank-based Fingerprint Recognition [Jain et al., 2000]
Also used by Barni et al. [2010].
![Page 6: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/6.jpg)
Non-private Protocol
![Page 7: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/7.jpg)
Privacy-preserving Protocol
![Page 8: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/8.jpg)
Privacy-preserving Protocol
![Page 9: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/9.jpg)
Euclidean Distance
Let di be the distance between vi = [vi,j]1≤j≤N and v′ = [v′j]1≤j≤N
di = ‖vi − v′‖2 =N
∑j=1
(vi,j − v′j)2
=N
∑j=1
v2i,j︸ ︷︷ ︸
Si,1
+N
∑j=1
(−2vi,j · v′j)︸ ︷︷ ︸Si,2
+N
∑j=1
v′j2
︸ ︷︷ ︸S3
For privacy, want to compute JdiKpk.
![Page 10: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/10.jpg)
Additive Homomorphic Encryption
JaKpk
JbKpk
=⇒ Ja + b mod pKpk = JaKpk · JbKpk
JaKpk
c
=⇒ Jc · a mod pKpk = JaKcpk
We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.
![Page 11: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/11.jpg)
Additive Homomorphic Encryption
JaK
pk
JbK
pk
=⇒ Ja + b mod pK
pk
= JaK
pk
· JbK
pk
JaK
pk
c
=⇒ Jc · a mod pK
pk
= JaKc
pk
We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.
![Page 12: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/12.jpg)
Private Euclidean Distance
JdiK =
tN
∑j=1
v2i,j︸ ︷︷ ︸
Si,1
+N
∑j=1
(−2vi,jv′j)︸ ︷︷ ︸Si,2
+N
∑j=1
v′j2
︸ ︷︷ ︸S3
|
= JSi,1K · JSi,2K · JS3K
JSi,2K =
tN
∑j=1
(−2vi,jv′j)
|
=N
∏j=1
q−2vi,j
yv′j
![Page 13: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/13.jpg)
Improving the Efficiency
Modular exponentiation is slow. For every i, computing JSi,2Krequires N modular exponentiations. Overall, it involves MNmodular exponentiationsEncode many messages in one homomorphic encryption
Packing was introduced by Sadeghi et al. [2009] tosave bandwidth, but is exploited more aggressivelyhere to save computation also.
![Page 14: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/14.jpg)
Padding 0’s to Ensure Correctness
![Page 15: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/15.jpg)
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
![Page 16: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/16.jpg)
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
![Page 17: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/17.jpg)
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
![Page 18: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/18.jpg)
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
![Page 19: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/19.jpg)
Effects of Packing
15
20
25
30
35
40
45
50
55
60
65Time
Bandwidth
![Page 20: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/20.jpg)
Sharing the Secrets
The server generates nonce masks r = [r1, r2, · · · , rM] and sendsq
d′1‖ · · · ‖d′My
pk = J(d1 + r1)‖(d2 + r2)‖ · · · ‖(dM + rM)Kpk
where pk is the client’s public key.
Make the sampling range of ri large enough so thatd′i and di is statistically indistinguishable.
![Page 21: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/21.jpg)
Privacy-preserving Protocol
![Page 22: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/22.jpg)
Garbled Circuits Protocol
Efficient oblivious transfer protocol combining schemes from both[Naor and Pinkas, 2001] and [Ishai et al., 2003]Standard garbled circuits [Yao, 1986] combined with free-XORtechnique [Kolesnikov and Schneider, 2008]
![Page 23: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/23.jpg)
Finding the Minimum Differnce
GoalGiven d′ = d + r and r, securely compute d∗ = min
1≤i≤M(di, ε).
![Page 24: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/24.jpg)
Reducing the Bit-width
Saves 2M(`− k) non-free gates in total.
![Page 25: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/25.jpg)
Privacy-preserving Protocol
![Page 26: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/26.jpg)
Finding the Record
Ultimate goal is to retrieve the record associated with d∗
Prior work [Kolesnikov et al., 2009] accomplished this by relayingindices throughout the M-to-1 Min circuitWe achieve this with a backtracking protocol
1 No need to propagate ID numbers2 Obtain record without an extra secure information retrieval by ID3 Use labels obtained in garbled circuit execution
![Page 27: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/27.jpg)
The 2-to-1 Min
![Page 28: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/28.jpg)
Mini Example — The Server
![Page 29: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/29.jpg)
Mini Example — The Server
![Page 30: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/30.jpg)
Selection Wires in the M-to-1 Min Tree
![Page 31: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/31.jpg)
Backtracking — The Sender
n1, n2, n3 are random nonces knownonly to the sender.
![Page 32: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/32.jpg)
Backtracking — The Receiver
![Page 33: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/33.jpg)
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation,
sois able to infer n1, n2, and Radu.
![Page 34: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/34.jpg)
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1
, n2, and Radu.
![Page 35: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/35.jpg)
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1, n2
, and Radu.
![Page 36: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/36.jpg)
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1, n2, and Radu.
![Page 37: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/37.jpg)
System Recap
![Page 38: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/38.jpg)
Results — Online Performance
0
2
4
6
8
10
12
14
16
18
0
1000
2000
3000
4000
5000
6000
7000
8000
DistanceOT Circuit Backtracking
4.6× faster and uses 58% less bandwidth than Barni et al.[2010], even though we compute the global minimum
![Page 39: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/39.jpg)
Thank you!
Software available for download at:http://www.mightbeevil.org/secure-biometrics/
![Page 40: Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages](https://reader035.vdocuments.us/reader035/viewer/2022071401/60ec75db70664a34af43e9da/html5/thumbnails/40.jpg)
References IMauro Barni, Tiziano Bianchi, Dario Catalano, Mario Di Raimondo, Ruggero Donida Labati,
Pierluigi Faillia, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-PreservingFingercode Authentication. In ACM Multimedia and Security Workshop, 2010.
Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Nguyen. Paillier’sCryptosystem Revisited. In ACM Conference on Computer and Communications Security, 2001.
Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending Oblivious TransfersEfficiently. In CRYPTO, 2003.
Anil Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. Filterbank-based FingerprintMatching. IEEE Transactions on Image Processing, pages 846–859, January 2000.
Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates andApplications. In International Colloquium on Automata, Languages and Programming, 2008.
Vladimir Kolesnikov, Ahmad-Reza Sadeghi, and Thomas Schneider. Improved Garbled CircuitBuilding Blocks and Applications to Auctions and Computing Minima. In InternationalConference on Cryptology and Network Security, 2009.
Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In ACM-SIAM Symposiumon Discrete Algorithms, 2001.
Pascal Paillier. Public-key Cryptosystems based on Composite Degree Residuosity Classes.EUROCRYPT, 1999.
Ahmad-Reza Sadeghi, Thomas Schneider, and Immo Wehrenberg. Efficient Privacy-PreservingFace Recognition. In International Conference on Information Security and Cryptology, 2009.
Andrew Yao. How to Generate and Exchange Secrets. In Symposium on Foundations of ComputerScience, 1986.