Collabora've,Privacy‐PreservingDataAggrega'onatScale
MichaelJ.Freedman
PrincetonUniversity
Jointworkwith:BennyApplebaum,HaakonRingberg,MaHhewCaesar,andJenniferRexford
Problem:NetworkAnomalyDetec'on
Collabora'veanomalydetec'on
• SomeaHackslooklikenormaltraffic– e.g.,SQL‐injec'on,applica'on‐levelDoS[SrivatsaTWEB‘08]
• IsitaDDoSaHackoraflashcrowd?[JungWWW‘02]
Yahoo!Google
Bing
I’mnotsureaboutBeasty!
I’mnotsureaboutBeasty!
I’mnotsureaboutBeasty!
Collabora'veanomalydetec'on
• Targets(vic'ms)couldcorrelateaHacks/aHackers[KadIMC’05],[AllmanHotnets‘06],[KannanSRUTI‘06],[MooreINFOC‘03]
Yahoo!Google
Bing
“Foolusonce,shameonyou.FoolusN2mes,shameonus.”
Problem:NetworkAnomalyDetec'on
Solu'on:
• AggregatesuspectIPsfrommanyISPs• FlagthoseIPsthatappear>thresholdτ
Problem:DistributedRanking
Solu'on:
• Collectdomainsta's'csfrommanyusers• Aggregatedatabydomain
Problem:
…
Solu'on:• Aggregate(id,data)frommanysources• Analyzedatagroupedbyid
Butwhataboutprivacy?
WhatinputsaresubmiHed?
WhosubmiHedwhat?
DataAggrega'onProblem
• Manypar'cipants,eachwith(key,value)observa'on
• Goal:Aggregateobserva'onsbykey
Key Values
k1 (va,vb)k2 (vi,vj,vk)
…
kn (vx)
AA
A
DataAggrega'onProblem
• Manypar'cipants,eachwith(key,value)observa'on
• Goal:Aggregateobserva'onsbykey
Key Values
k1 (va,vb)k2 (vi,vj,vk)
…
kn (vx)
AA
A
F ( F (
F (
))
)
PDA: Onlyreleasethevaluecolumn
CR‐PDA: Pluskeyswhosevaluessa'sfysomefunc
DataAggrega'onProblem
• Manypar'cipants,eachwith(key,value)observa'on
• Goal:Aggregateobserva'onsbykey
Key Values
k1 (1,1)k2 (1,1,1)
…
kn (1)
ΣΣ
ΣPDA: Onlyreleasethevaluecolumn
CR‐PDA: Pluskeyswhosevaluessa'sfysomefunc
≥τ?
≥τ?
≥τ?
Goals
• Keywordprivacy:Nopartylearnsanythingaboutkeys
• Par'cipantprivacy:NopartylearnswhosubmiHedwhat
• Efficiency:Scaletomanypar'cipants,eachwithmanyinputs
• Flexibility:Supportvarietyofcomputa'onsovervalues
• Lackofcoordina'on:– Nosynchronyrequired,individualscannotpreventprogress– Allpar'cipantsneednotbeonlineatsame'me
Poten'alsolu'ons
ApproachKeywordPrivacy
Par5cipantPrivacy Efficiency Flexibility
LackofCoord
GarbledCircuit
Evalua'on
Mul'partySetIntersec'on
Yes Yes VeryPoor Yes No
Yes Yes Poor No NoDecen
tralized
Security Efficiency
• Weakensecurityassump'ons?
– Assumehonestbutcuriouspar'cipants?
– Assumenocollusionamongmaliciouspar'cipants?
• Inlarge/opensedng,easytooperatemul'plenodes(so‐called“SybilaHack”)
TowardsCentraliza'on?
DB
Par5cipants
Poten'alsolu'ons
ApproachKeywordPrivacy
Par5cipantPrivacy Efficiency Flexibility
LackofCoord
GarbledCircuit
Evalua'on
Mul'partySetIntersec'on
HashingInputs
NetworkAnonymiza'on
Yes Yes VeryPoor Yes No
Yes Yes Poor No No
No No VeryGood Yes Yes
No Yes VeryGood Yes Yes
Decen
tralized
Ce
ntralized
Towardssemi‐centraliza'on
Par5cipants
Proxy DB
Assump5on:ProxyandDBdo
notcollude
Poten'alsolu'ons
ApproachKeywordPrivacy
Par5cipantPrivacy Efficiency Flexibility
LackofCoord
GarbledCircuit
Evalua'on
Mul'partySetIntersec'on
HashingInputs
NetworkAnonymiza'on
ThisWork
Yes Yes VeryPoor Yes No
Yes Yes Poor No No
No No VeryGood Yes Yes
No Yes VeryGood Yes Yes
Yes Yes Good Yes Yes
Decen
tralized
Ce
ntralized
PrivacyGuarantees
• PrivacyofPDAagainstmaliciousen''esandpar'cipants– Maliciouspar'cipantmaycolludewitheithermaliciousproxyorDB,butnotboth
– Mayviolatecorrectnessinalmostarbitraryways
• PrivacyofCR‐PDAagainsthonest‐but‐curiousen''esandmaliciouspar'cipants
PDAStrawman#0
Par5cipant Proxy DB
1. Clientsendsinputk
k
PDAStrawman#1
Par5cipant Proxy DB
1. Clientsendsencryptedinputk2. Proxybatchesandretransmits
3. DBdecryptsinput
ds
k # 1.1.1.1 1
2.2.2.2 9
Violateskeywordprivacy
EDB(k) EDB(k)
ds
PDAStrawman#2
Par5cipant Proxy DB
1. Clientsendshashesofk2. Proxybatchesandretransmits
3. DBdecryptsinput
H (k) # H(1.1.1.1) 1
H(2.2.2.2) 9
S5llviolateskeywordprivacy:IPsdrawnfromsmalldomains
EDB(H(k)) EDB(H(k))
PDAStrawman#3
Par5cipant Proxy DB
1. Clientsendskeyedhashesofk– Keyedhashfunc'on(PRF)– Keysknownonlybyproxy
Fs (k) # Fs(1.1.1.1) 1
Fs(2.2.2.2) 9
EDB(Fs(k)) EDB(Fs(k))
ButhowdoclientslearnFs(IP))?
Secrets
OurBasicPDAProtocol
Par5cipant Proxy DB
1. Clientsendskeyedhashesofk– Fs(x)learnedbyclientthroughObliviousPRFprotocol
2. Proxybatchesandretransmitskeyedhash
3. DBdecryptsinput
Fs (k) # Fs(1.1.1.1) 1
Fs(2.2.2.2) 9
EDB(Fs(k))OPRF
EDB(Fs(k)) Fs(k)
Secrets
Fs (k) # Fs(1.1.1.1) 1
Fs(2.2.2.2) 9
retransmits
BasicCR‐PDAProtocol
Par5cipant Proxy DB
1. Clientsendskeyedhashesofk,andencryptedkforrecovery
2. Proxyretransmitskeyedhash3. DBdecryptsinput4. Iden'fyrowstoreleaseandtransmitEPRX(k)toproxy5. Proxydecryptskandreleases
EDB(Fs(k)) Fs(k)
EDB(EPRX(k))
EPRX(k)
Fs (k) # Enc’d k Fs(1.1.1.1) 1 EPRX(1.1.1.1)
Fs(2.2.2.2) 9 EPRX(2.2.2.2)
Secrets
retransmits
PrivacyProper'es
Par5cipant Proxy DB
• Anycoali'onofHBCpar'cipants• HBCcoali'onofproxyandpar'cipants• HBCdatabase
EDB(Fs(k)) Fs(k)
EDB(EPRX(k))
EPRX(k)
• Keywordprivacy:Nothinglearnedaboutunreleasedkeys• Par'cipantprivacy:KeyPar'cipantnotlearned
Secrets
retransmits
PrivacyProper'es
Par5cipant Proxy DB
• Anycoali'onofHBCpar'cipants• HBCcoali'onofproxyandpar'cipants• HBCdatabase
EDB(Fs(k)) Fs(k)
EDB(EPRX(k))
EPRX(k)
• Keywordprivacy:Nothinglearnedaboutunreleasedkeys• Par'cipantprivacy:KeyPar'cipantnotlearned
Secrets
maliciouspar'cipants
HBCcoali'onofDBandpar'cipants
retransmits
MoreRobustPDAProtocol
Par5cipant Proxy DB
• Anycoali'onofHBCpar'cipants• HBCcoali'onofproxyandpar'cipants• HBCdatabase
EDB(Fs(k)) Fs(k)
EDB(EPRX(k))
EPRX(k)Secrets
maliciouspar'cipants
HBCcoali'onofDBandpar'cipants
• ORPFEncryptedOPRFProtocol• Ciphertextre‐randomiza'onbyproxy• Proofbypar'cipantthatsubmiHedk’smatch
Encrypted‐OPRFprotocol• Problem:inbasicOPRFprotocol,par'cipantlearnsFs(k)
• Encrypted‐OPRFprotocol:– ClientlearnsblindedFs(k)– ClientencryptstoDB– ProxycanunblindFs(k)“undertheencryp'on”
()r‐1Enc()()rFs(k)
(πsi)ki=1ElGamal gmodp
Encrypted‐OPRFprotocol• Problem:inbasicOPRFprotocol,par'cipantlearnsFs(k)
• Encrypted‐OPRFprotocol– ClientlearnsblindedFs(k)– ClientencryptstoDB– ProxycanunblindFs(k)“undertheencryp'on”
• OPRFrunsOTprotocolforeachbitofinputk• OTprotocolsexpensive,sousebatchOTprotocol[Ishaietal]
()r‐1Enc()()rFs(k)
ScalableProtocolArchitecture
Par'cipantsClient‐Facing
Proxies
Sharesecrets
ProxyDecryp'onOracles
SharePRXkey
Front‐EndDBTier
ShareDBkey
Back‐EndDBStorage
Par''onFskeyspace
Evalua'on• Scalablearchitectureimplemented
– BasicCR‐PDA/PDAprotocol+andencrypted‐OPRFprotocolw/BatchOT
– ~5000linesofthreadedC++,GnuPGforcrypto
• Testbedof2GHzLinuxmachines
Algorithm Parameter Value
RSA/ElGamal keysize 1024bits
ObliviousTransfer k 80
AES keysize 256bits
Throughputvs.par'cipantbatchsize
SingleCPUcoreforDBandproxyeach
Maximumthroughputperserver
FourCPUcoresforDBandproxy(each)
Throughputscalability
NumberCPUcoresperDBandproxy(each)
Summary• Privacy‐PreservingDataAggrega'onprotects:
– Par'cipants:DonotrevealwhosubmiHedwhat– Keywords:Onlyrevealvalues/releasedkeys
• Novelcomposi'onofcryptoprimi'ves– Basedonassump'onthat2+knownpar'esdon’tcollude
• Efficientimplementa'onofarchitecture– Scaleslinearlywithcompu'ngresources– Ex:MillionsofsuspectedIPsinhours
• Ofindependentinterest…– IntroducedencryptedOPRFprotocol– Firstimplementa'on/valida'onofBatchOTprotocol