1 / 33

SHADE: Secure HAmming DistancE computation from oblivious transfer

SHADE: Secure HAmming DistancE computation from oblivious transfer. Julien Bringer, Hervé Chabanne , Alain Patey Workshop on Applied Homomorphic Cryptography (WAHC’13) - Apr. 1 st , 2013 Work partially funded by the ANR SecuLar project and by the European FP7 FIDELITY project.

xanto
Download Presentation

SHADE: Secure HAmming DistancE computation from oblivious transfer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SHADE: Secure HAmmingDistancE computation from oblivious transfer Julien Bringer, HervéChabanne, Alain Patey Workshop on AppliedHomomorphicCryptography (WAHC’13) - Apr. 1st, 2013 Workpartiallyfunded by the ANR SecuLarproject and by the European FP7 FIDELITY project

  2. OUtline • Motivations • Secure Biometric Recognition • Secure Computation of Hamming distances: previousproposals • HomomorphicEncryption • Garbled Circuits • SHADE • The basic scheme • The fully-securescheme Alain Patey / 01/04/2013 / WAHC'13

  3. Motivations Alain Patey / 01/04/2013 / WAHC'13

  4. biometricmatching • Biometrics: Images are encodedintofeaturevectors • Biometricmatching: computation of a similaritymeasurebetweentwovectors • Hamming Distance • Euclidean Distance • Scalar Product • … Alain Patey / 01/04/2013 / WAHC'13

  5. Example: Iris • Iriscodes: 256-byte code + 256-byte mask • Maskindicates (in)exploitable data: eyelids, eyelashes, blurred pixels… • Similaritymeasurebetween (X1,M1) and (X2,M2): normalizedHamming distance • HD(X1,X2) = |(X1 ⨁X2) ∩M1 ∩ M2| / |M1 ∩ M2| John Daugman: How iris recognition works. IEEE Trans. Circuits Syst. VideoTechn. (TCSV) 14(1):21-30 (2004) Alain Patey / 01/04/2013 / WAHC'13

  6. Example: FINgerprint • Binaryfeaturevectorfingerprintrepresentation: ~50,000 bit-vectors • Bits indicatepresence/absence of given patterns • Similaritymeasure: usualHamming distance Bringer, J. and Despiegel, V., BinaryfeaturevectorFingerprintrepresentationfromminutiaevicinities, BTAS'10. (2010). Alain Patey / 01/04/2013 / WAHC'13

  7. Example: FAce • Face: SciFIproject • Approachsimilar to the approach of previousslide • 900-bit vectors • (constant 180-bit weight) • Similaritymeasure = usual Hamming distance Margarita Osadchy, Benny Pinkas, AymanJarrous, BoazMoskovich: SCiFI - A System for Secure Face Identification. IEEE Symposium on Security and Privacy 2010:239-254 Alain Patey / 01/04/2013 / WAHC'13

  8. Motivations for securebiometricmatching • Biometric data are • extremely sensitive • hard to revoke • But veryuseful for personal recognition • Need for protection and usabilityat the same time • ⇒Secure computation • Applications • 1 vs N identification • Intersection of biometricdatabases • Deduplication • Anonymousaccess control • … Alain Patey / 01/04/2013 / WAHC'13

  9. Secure Hamming Distance Computation: Previousproposals Alain Patey / 01/04/2013 / WAHC'13

  10. Setting Client Server • Output learnedeither by C, S or both • Privacy: One party does not learn information about the otherparty’s input (except the result) 100110011101 110010010101 Binary string X=(x1,…,xn) Binary string Y=(y1,…,yn) Secure Computation Output: dH(X,Y) =Σ(xi⨁yi) Alain Patey / 01/04/2013 / WAHC'13

  11. HomomorphicEncryption Alain Patey / 01/04/2013 / WAHC'13

  12. XOR-ly/AdditivelyHomomorphicEncryption • E = homomorphiccryptosystem • Goal: compute E(X⨁Y) (or E(dH(X,Y))) from E(X) and Y (or E(X) and E(Y)) • where X and Y are strings • No efficient homomorphiccryptosystem to do thisstraightforward • Goldwasser-Micali: XOR over bits • Paillier: addition over integers • Use of additivelyhomomorphicencryption (Paillier and extensions) • E(X).E(Y)=E(X+Y) • E(X)Y = E(X.Y) Alain Patey / 01/04/2013 / WAHC'13

  13. Secure Hamming distance usingHomomorphicEncryption Client Server Input: X=(x1,…,xn), sk, pk Input: Y=(y1,…,yn), pk E(x1),…,E(xn) Data encryption For i=1..n, E(xi⨁yi)=E(xi)1-2yi.E(yi) E(dH(X,Y))=E(Σ(xi⨁yi)) =Π E(xi⨁yi) E(dH(X,Y)) Computation over encrypted data Decryptionusingsk Output: dH(X,Y) Resultdecryption Recall: x,y∈{0,1} x⊕y = x + y – 2x.y Alain Patey / 01/04/2013 / WAHC'13

  14. Yao’s Protocol Alain Patey / 01/04/2013 / WAHC'13

  15. 1-out-of-2 Oblivioustransfer Sender Receiver Inputs: - strings X0 and X1 Input - bit b Output: ∅ Output: - Xb • Sender does not learn b • Receiverlearnsnothing about X1-b Alain Patey / 01/04/2013 / WAHC'13

  16. Garbled Circuits • Garbled circuits: “Encrypted” binary circuits • Random keys are associated with wires (one pair per wire) • Gates are encrypted using these keys • S creates the garbled circuit: • picks random keys and encrypts tables • C evaluates the garbled circuit • Decrypts the garbled tables using one key per input wire • Keys corresponding to S’s inputs are directly sent to C • Keys corresponding to C’s inputs are sent using OT12’s Alain Patey / 01/04/2013 / WAHC'13

  17. Yao’s Protocol Party 1 Party 2 Creates the Garbled Circuit Garbled Circuit, labels of P1’s inputs Labels of P2’s inputs using 1-out-of-2 OT’s Evaluates the Garbled Circuit Obtains f(X,Y) (Optional) f(X,Y) Alain Patey / 01/04/2013 / WAHC'13

  18. Implementation of Yao’sprotocol • Garblingcanbeimplementedusingsymmetriccryptography • Optimizations: • free XOR gates • 25% gatereduction • OT12’s canalsobeimplementedusingsymmetriccryptography • Aftersomepreprocessinginvolving public-keycryptography • Implementations are available • Fairplay, TASTY, Secure Computation Framework… Alain Patey / 01/04/2013 / WAHC'13

  19. summary • Additivelyhomomorphicencryption • Bits are encryptedseparately (ciphertexts are at least 2048-bit long) • Homomorphicoperations are costly • Ciphertextscanbere-used (for another instance of the protocol or anotherfunctionality) • Yao’sprotocol • Mostlysymmetriccryptography • Garbled circuits not reusable • Use of Yao’sprotocol for secureHamming distance computation givesbetter performances thanhomomorphicencryption • Yan Huang, David Evans, Jonathan Katz, Lior Malka: Faster Secure Two-Party Computation UsingGarbled Circuits. USENIX Security Symposium 2011 Alain Patey / 01/04/2013 / WAHC'13

  20. SHADE Alain Patey / 01/04/2013 / WAHC'13

  21. Towards SHADE • Garbled Circuits are big, even for the simple Hamming distance circuit • eg >120 KB bandwidthrequired for 2048-bit Hamming distance • WhenusingYao’sprotocol, sender’s inputs to the OT’s are independent of the actual inputs X and Y • Ideas: • Getrid of garbled circuits • Adapt the inputs of the OT’ssuchthat • they are linked to the sender’s bit-string • the output of the ith OT islinked to xi⨁yi • Input of the server: (ri + xi, ri+(1-xi)) • Input of the client: yi • Output of the client: ri + xi⨁yi Alain Patey / 01/04/2013 / WAHC'13

  22. Protocol Server: X = (x1,…,xn) Client: Y = (y1,…,yn) Select randomr1,…,rn For i=1,…,n: OT12 Input: (ri+xi, ri+(xi⨁1)) Input: yi Output: ∅ Output: ti =ri+(xi⨁yi) Oblivious Transfer Compute R=Σ ri ComputeT=Σti (=R+HD(X,Y)) R 1st option Output T-R = HD(X,Y) T 2nd option Output T-R = HD(X,Y) Alain Patey / 01/04/2013 / WAHC'13

  23. Remarks • Overallcost: n OT’s • Privacyensured in the semi-honest model • Extension to severaldH(X,Yj) at the same time • Biometric 1 vs N - identification • Applicable to anyfunction of the form: • F(X,Y) = ∑λifi(xi,yi) • F(X,Y) = ∏f(xi,yi) Alain Patey / 01/04/2013 / WAHC'13

  24. Comparison to previous solutions HE Yao SHADE Afterpreprocessing, includingoptimizations Alain Patey / 01/04/2013 / WAHC'13

  25. Computation time • Comparison to Yao’sprotocol • For 900 bits: • HE: ~310 ms • Yao: ~20 ms • SHADE: ~8 ms Alain Patey / 01/04/2013 / WAHC'13

  26. SHADE The fully-securescheme (securityagainstmaliciousadversaries) Alain Patey / 01/04/2013 / WAHC'13

  27. CommitTedOblivioustransfer Sender Receiver Inputs: - strings X0 and X1 - random values r0,r1 Inputs: - bit b - random value r Common Inputs: Com(X0,r0); Com(X1,r1); Com(b,r) Output: - Xb - random value u Output: ∅ Common Output: Com(Xb,u) Kiraz, M.S., Schoenmakers, B., Villegas, J.: Efficient committedoblivioustransferof bit strings. In: ISC. (2007) Alain Patey / 01/04/2013 / WAHC'13

  28. Homomorphiccommitment • Additivelyhomomorphiccommitment: • Com(x1, r1) . Com(x2,r2) = Com(x1+x2, r1+r2) • Zero-knowledgeproofs: • Proof thata commitment c commits to either x1 or x2 • Here: proof thatcommitted value is a bit (0 or 1) • Proof thattwocommitted values differ by 1 • InstantiationusingPaillier or ElGamalcryptosystem Alain Patey / 01/04/2013 / WAHC'13

  29. Fullysecurescheme – 1ststep: Commitment and proofs of consistency Server: X = (x1,…,xn) Client: Y = (y1,…,yn) • Pickrandom values χ1,…,χn • Compute and publish Com(yi,χi), i=1…n • Provethatcommitted values are bits • Pickrandom values α1,…,αn,β1,…,βn,r1,…,rn • Compute and publish, for i=1…n • Ai=Com(ri+xi, αi) • Bi=Com(ri + (1-xi),βi) • Provethatcommitted values differ by 1 • Server: - xi • ri ; ai=ri+xi ; bi = ri + (1-xi) • αi ; βi Client: - yi - χi • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Com(yi,χi) Alain Patey / 01/04/2013 / WAHC'13

  30. Fullysecurescheme – 2ndstep: CommittedOblivioustransfers • Server: - xi • ri ; ai=ri+xi ; bi = ri + (1-xi) • αi ; βi Client: - yi - χi • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Com(yi,χi) n Committedoblivioustransfers Output: - ti = ri + (xi⨁yi) - random values 𝜏i Common Output: Ci=Com(ti, 𝜏i) Alain Patey / 01/04/2013 / WAHC'13

  31. Fullysecurescheme – 3rdstep: Hamming Distance Computation (1st option) Server: - ri ; ai=ri+xi ; bi = ri + (1-xi) - αi ; βi • Client: • ti= ri + (xi⨁yi) • 𝜏i • Common: - Ai=Com(a,αi) • Bi=Com(bi,βi) • Ci=Com(ti, 𝜏i) Compute R = r1 + …+rn ComputeT = t1 + …+tn Compute K = A1…AnB1…Bn Compute K = Com(2R+n, ∑(αi + βi)) R + proof that K commits to 2R+n Check the proof Samemechanisms for 2nd option Output T-R=dH(X,Y) Alain Patey / 01/04/2013 / WAHC'13

  32. Conclusion • Most efficient secureHamming distance computation in the semi-honest model • Applicable to anylinearcombination of bit-wiseindependentfunctions • Non-reusable • likegarbled circuits • unlikehomomorphicencryption • Adaptation to the malicious model • Using additive homomorphicencryption and zero-knowledge • Applications to secure image/signal processing • In particular, biometric identification Alain Patey / 01/04/2013 / WAHC'13

  33. Thankyou for your attention Questions ? Alain Patey / 01/04/2013 / WAHC'13

More Related