Date post: | 27-Jan-2017 |
Category: |
Documents |
Upload: | rwth-aachen-university |
View: | 126 times |
Download: | 2 times |
Comparative Analysis of Binary and Arithmetic SecureComparison Operations in the Context of Bartering
Benjamin Assadsolimani
Research group IT-SecurityRWTH Aachen University
Matr. Nr.: 318173
01. September 2015
Thesis Overview
Analysis of Binary and Arithmetic Secure Comparison (SC) Operations:
Isolated Analysis
1. Implementation of the SC-Prot.:• Kerschbaum et al. (int)• Nergiz et al. (int)• Garay et al. (bit)
2. Performance analysis
Context Bartering Protocol
1. Implementation of the BarteringProtocol
2. Modification for binary supportand security analysis
3. Performance analysis of theBartering Protocol
4. Analysis of a realistic barteringscenario
Benjamin Assadsolimani 1/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 2/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 3/43
Secure Multiparty Computation
Secure Multiparty Computation (SMPC) allows a number of parties thejoint computation of a function over their private inputs.
Benjamin Assadsolimani 3/43
Adversary Models
• Passive adversary (semi-honest-model):• Follows the protocol specification• Attempts to learn private information of the other party from
participation
• Active adversary (malicious model):• Behaviour may arbitrarily deviate from the protocol specification
Benjamin Assadsolimani 4/43
Motivation
Thesis Goal
Should arithmetic or binary SC-Protocols be used for the barteringprotocol in the semi-honest case and when transferring it to the maliciousmodel
• Arithmetic SC-Protocols have a more complex structure:• semi-honest: allows for more efficient algorithms• malicious: more difficult to enforce a corrupted party to follow the
protocol
• Binary SC–Protocols have to iterate through every bit:• semi-honest: can not be as efficient as arithmetic SC-Protocols• malicious: much easier to enforce since only bit operations are used
Benjamin Assadsolimani 5/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 6/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 6/43
IC-Protocol by Kerschbaum et al.
Idea:
1. Subtract x and y using homomorphic addition
2. Sign of the difference determines whether x < y
3. Blind the difference with hiding factors r1 and r2
Additive Homomorphic Cryptosystem:
• Addition:
E(m1) · E(m2) = E(m1 + m2)
• Scalar Multiplication:
E(m1) · ... · E(m1) = E(m1)k = E(k ·m1)
Benjamin Assadsolimani 6/43
Negative Integer Representation
• Negative numbers not represented in modular arithmetic
• Cut plaintext space [0, n− 1] in half
-
pos. integers: lower half
neg. integers: upper half
Benjamin Assadsolimani 7/43
Protocol Execution
x
y
(x− y)
22− 24 ≡ 62
Example
x = 22 r1 = 8 n = 64y = 24 r2 = 4
Benjamin Assadsolimani 8/43
Protocol Execution
(x− y) · r162 · 8 ≡ 48
Example
x = 22 r1 = 8 n = 64y = 24 r2 = 4
Benjamin Assadsolimani 9/43
Protocol Execution
(x− y) · r1 + r2
48 + 4 = 52
Example
x = 22 r1 = 8 n = 64y = 24 r2 = 4
Benjamin Assadsolimani 10/43
Protocol Properties
Hiding Factors:
• Draw r1 such that there are no wrap arounds
• Draw r2 < r1 so it does not change the result
Complexity:
• Round complexity: O(1)
• Comp. complexity: O(1)
Security:
• Protocol has a small leak which occurs with a very minor probability
• Has been proven secure in the semi-honest model [Wueller et al., 2015]
Benjamin Assadsolimani 11/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 12/43
IC-Protocol by Nergiz et al.Idea:
• Upper bound m: x, y ≤ m• Represent integer values [0,m− 1] as a Perfect Binary Tree (PBT)
Figure : 3-Perfect Binary Tree for m = 8, lm = 3
Benjamin Assadsolimani 12/43
Input Representation
Covering Set:
• x is represented by a Covering Set (CS):
• CS(x) contains all nodes covering (0, x)
Representer Set:
• y is represented by a Representer Set (R):
• R(y) is the minimal set covering exactly the leaf nodes (0, 0), ..., (0, y)
Benjamin Assadsolimani 13/43
Covering Set
(3, 0)
(2, 0) (2, 1)
(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)
(1, 0) (1, 1) (1, 2) (1, 3)
Figure : Covering Set of leaf node (0, 2)
Benjamin Assadsolimani 14/43
Covering Set
(3, 0)
(2, 0) (2, 1)
(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)
(1, 0) (1, 1) (1, 2) (1, 3)
Figure : Covering Set= {(0, 2), (1, 1), (2, 0), (3, 0)}
Benjamin Assadsolimani 15/43
Representer Set
Figure : Representer Set of leaf set {(0, 0), ..., (0, 5)}
Benjamin Assadsolimani 16/43
Representer Set
(3, 0)
(2, 0) (2, 1)
(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)
(1, 0) (1, 1) (1, 2) (1, 3)
Figure : Representer Set= {(2, 0), (1, 2)}
Benjamin Assadsolimani 17/43
Protocol Execution
(3, 0)
(2, 0) (2, 1)
(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)
(1, 0) (1, 1) (1, 2) (1, 3)
Figure : Protocol Execution with x = 2, y = 5
Benjamin Assadsolimani 18/43
Protocol Execution
(3, 0)
(2, 0) (2, 1)
(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)
(1, 0) (1, 1) (1, 2) (1, 3)
Figure : Protocol Execution with output= 1
Benjamin Assadsolimani 19/43
Protocol Properties
Complexity:
• Round complexity: O(1)
• Comp. complexity: O(log2(m)) = O(lm)
Benjamin Assadsolimani 20/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 21/43
SC-Protocol by Garay et al.
• Inputs are given as sequences of bits:
x = xlm−1, ..., x0
y = ylm−1, ..., y0
• compute x > y with the following recursion:
SC-Protocol by Garay et al.
1. t0 = 0
2. ti+1 = (1− (xi − yi)2)ti + xi(1− yi)
3. tlm is the output bit
Example
m = 8→ lm = 3x = 5 = 101y = 3 = 011
Benjamin Assadsolimani 21/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
t0 0
Benjamin Assadsolimani 22/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
t0 0
Benjamin Assadsolimani 22/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
t1 0
Benjamin Assadsolimani 23/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
t2 0
Benjamin Assadsolimani 24/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
t3 1
Benjamin Assadsolimani 25/43
Protocol Execution
xi yi ti+1
0 0 ti0 1 01 0 11 1 ti
x 1 0 1y 0 1 1
or 1
Benjamin Assadsolimani 26/43
Complexity
Presented algorithm:
• Round complexity: O(lm)
• Comp. complexity: O(lm)
Variation exits with:
• Round complexity: O(log(lm))
• Comp. complexity: O(lm)
Benjamin Assadsolimani 27/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 28/43
Influence Input Size
0 10 20 30 40 50 600
50
100
150
input size (bit)
runti
me
(s)
Kersch. et al.
Nergiz et al.
Garay et al.
Benjamin Assadsolimani 28/43
Influence Input Size
0 10 20 30 40 50 600
2
4
6
input size (bit)
runti
me
(s)
Kersch. et al.
Nergiz et al.
Benjamin Assadsolimani 29/43
Keysize Influence
SC-Protocol / Keysize 512Bit 1024Bit 2048Bit 4096Bit
Kersch. et al. 0,047s 0,073s 0,293s 2,026s
Nergiz et al. 0,216s 0,989s 7,182s 54,123s
Garay et al. 5,143s 14,652s >6h -
Table : Runtimes with 16Bit input size
Benjamin Assadsolimani 30/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 31/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 31/43
Secure Two-Party Bartering Protocol
• Two parties want to exchange goods or services
• Privacy preserving: keep the inputs private at all times
• Existence of a potential trade: calculate exchange rates
Benjamin Assadsolimani 31/43
Bartering Setting
• Publicly known list of commodities C
• Input of every party:• Desired commodity cd at minimum quantity qd• Offered commodity co at maximum quantity qo
: { , , , , , , }
:
:
: 3
: 10
:
:
: 6
: 2
Benjamin Assadsolimani 32/43
Protocol Structure
1
2
3
1 Do the desired and offered commoditiesmatch?
• Private Equality Test
2 Do the desired and offered quantitiesmatch?
• 2x Secure Comparison
3 If both match:• Calculate exchange rates:• 2x Secure Comparison
Benjamin Assadsolimani 33/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 34/43
Support for Binary SC-Protocols
1. qo and qd are given as bitsequences instead of integers
2. Switch x and y to compute x < yinstead of x > y
3. Share the encrypted output bit
4. proof security of the newprotocol in the semi-honestmodel
Benjamin Assadsolimani 34/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 35/43
Runtime commodity matching
0 1,000 2,000 3,000 4,0000
5
10
15
no. commodities
runti
me
(s)
Benjamin Assadsolimani 35/43
Influence Input Size
0 10 20 30 40 50 600
200
400
600
800
1,000
1,200
input size (bits)
runti
me
(s)
Kersch.(no trade)
Kersch. (trade)
Nergiz (no trade)
Nergiz (trade)
Garay (no trade)
Garay (trade)
Benjamin Assadsolimani 36/43
Influence Input Size
0 10 20 30 40 50 600
10
20
30
40
input size (bits)
runti
me
(s)
Kersch.(no trade)
Kersch. (trade)
Nergiz (no trade)
Nergiz (trade)
Benjamin Assadsolimani 37/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 38/43
Realistic Bartering Scenario
• Bartering is a common practice between small companies for tradingotherwise idle resources
• A keysize of 1024 Bit gives sufficient security
• Parties agree on a publicly known list of commodities with 20 entries
• Max. input size lm is set to 10 Bit (m = 1024)
SC-Protocol no-trade trade avg.
Kersch. et al. 0,53s 1,87s 1,25s
Nergiz et al. 1,58s 5,34s 3,43s
Garay et al. 18,38s 54,65s 35,57s
Table : Runtimes of the Bartering Protocol
Benjamin Assadsolimani 38/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 39/43
Conclusion
Binary SC-Protocols scale worse than Arithmetic SC-Protocols in thesemi-honest model regarding:
• Input size
• Comp. complexity (keysize)
• Round complexity (latency)
In the context of a realistic bartering scenario, the performance is stillreasonable:
• Binary SC-Protocols suitable for small input parameters
Binary SC-Protocols might perform better in the malicious model in thecontext of the bartering protocol:
• Arithmetic SC-Protocols might have a lot more overhead for securityin the malicious model
Benjamin Assadsolimani 39/43
Are there any questions?
Benjamin Assadsolimani 40/43
Implementation Overview
Figure : Impl. using the SMC-MuSe Framework [Neugebauer et al., 2013]
Benjamin Assadsolimani 41/43
Outline
Introduction
SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance
Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario
Conclusion
References
Benjamin Assadsolimani 42/43
References I
Garay, J., Schoenmakers, B., and Villegas, J. (2007).Practical and Secure Solutions for Integer Comparison.Public Key Cryptography – PKC 2007, 4450:330–342.
Mayer, D., Wetzel, S., Meyer, U., and Stefan, W. (2014).A Secure Two-Party Bartering Protocol Using Privacy-PreservingInterval Operations.pages 57–66.
Mayer, D. a. (2012).Design and Implementation of Efficient Privacy-Preserving andUnbiased Reconciliation Protocols.
Nergiz, A. E., Nergiz, M. E., Pedersen, T., and Clifton, C. (2010).Practical and secure integer comparison and interval check.Proceedings - SocialCom 2010: 2nd IEEE International Conference onSocial Computing, PASSAT 2010: 2nd IEEE International Conferenceon Privacy, Security, Risk and Trust, pages 791–799.
Benjamin Assadsolimani 42/43
References II
Neugebauer, G., Meyer, U., and Wetzel, S. (2013).SMC-MuSe: A Framework for Secure Multi-Party Computation onMultiSets.43th GI-LNI Informatik, (December).
Schoenmakers, B. and Tuyls, P. (2006).Efficient binary conversion for Paillier encrypted values.Lecture Notes in Computer Science (including subseries Lecture Notesin Artificial Intelligence and Lecture Notes in Bioinformatics), 4004LNCS:522–537.
Wueller, S., Meyer, U., Forg, F., and Wetzel, S. (2015).Privacy-Preserving Conditional Random Selection Extended Version.
Benjamin Assadsolimani 43/43