bachelor thesis - presentation

Comparative Analysis of Binary and Arithmetic SecureComparison Operations in the Context of Bartering

Benjamin Assadsolimani

[email protected]

Research group IT-SecurityRWTH Aachen University

Matr. Nr.: 318173

01. September 2015

http://itsec.rwth-aachen.de

Thesis Overview

Analysis of Binary and Arithmetic Secure Comparison (SC) Operations:

Isolated Analysis

1. Implementation of the SC-Prot.:• Kerschbaum et al. (int)• Nergiz et al. (int)• Garay et al. (bit)

2. Performance analysis

Context Bartering Protocol

1. Implementation of the BarteringProtocol

2. Modification for binary supportand security analysis

3. Performance analysis of theBartering Protocol

4. Analysis of a realistic barteringscenario

Benjamin Assadsolimani 1/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References


Outline

Introduction



Conclusion

References


Secure Multiparty Computation

Secure Multiparty Computation (SMPC) allows a number of parties thejoint computation of a function over their private inputs.


Adversary Models

• Passive adversary (semi-honest-model):• Follows the protocol specification• Attempts to learn private information of the other party from

participation

• Active adversary (malicious model):• Behaviour may arbitrarily deviate from the protocol specification


Motivation

Thesis Goal

Should arithmetic or binary SC-Protocols be used for the barteringprotocol in the semi-honest case and when transferring it to the maliciousmodel

• Arithmetic SC-Protocols have a more complex structure:• semi-honest: allows for more efficient algorithms• malicious: more difficult to enforce a corrupted party to follow the

protocol

• Binary SC–Protocols have to iterate through every bit:• semi-honest: can not be as efficient as arithmetic SC-Protocols• malicious: much easier to enforce since only bit operations are used


Outline

Introduction



Conclusion

References


IC-Protocol by Kerschbaum et al.

Idea:

1. Subtract x and y using homomorphic addition

2. Sign of the difference determines whether x < y

3. Blind the difference with hiding factors r1 and r2

Additive Homomorphic Cryptosystem:

• Addition:

E(m1) · E(m2) = E(m1 + m2)

• Scalar Multiplication:

E(m1) · ... · E(m1) = E(m1)k = E(k ·m1)


Negative Integer Representation

• Negative numbers not represented in modular arithmetic

• Cut plaintext space [0, n− 1] in half

-

pos. integers: lower half

neg. integers: upper half


Protocol Execution

x

y

(x− y)

22− 24 ≡ 62

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4


Protocol Execution

(x− y) · r162 · 8 ≡ 48

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4


Protocol Execution

(x− y) · r1 + r2

48 + 4 = 52

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4


Protocol Properties

Hiding Factors:

• Draw r1 such that there are no wrap arounds

• Draw r2 < r1 so it does not change the result

Complexity:

• Round complexity: O(1)

• Comp. complexity: O(1)

Security:

• Protocol has a small leak which occurs with a very minor probability

• Has been proven secure in the semi-honest model [Wueller et al., 2015]


Outline

Introduction



Conclusion

References


IC-Protocol by Nergiz et al.Idea:

• Upper bound m: x, y ≤ m• Represent integer values [0,m− 1] as a Perfect Binary Tree (PBT)

Figure : 3-Perfect Binary Tree for m = 8, lm = 3


Input Representation

Covering Set:

• x is represented by a Covering Set (CS):

• CS(x) contains all nodes covering (0, x)

Representer Set:

• y is represented by a Representer Set (R):

• R(y) is the minimal set covering exactly the leaf nodes (0, 0), ..., (0, y)


Covering Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Covering Set of leaf node (0, 2)


Covering Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Covering Set= {(0, 2), (1, 1), (2, 0), (3, 0)}


Representer Set

Figure : Representer Set of leaf set {(0, 0), ..., (0, 5)}


Representer Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Representer Set= {(2, 0), (1, 2)}


Protocol Execution

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Protocol Execution with x = 2, y = 5


Protocol Execution

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Protocol Execution with output= 1


Protocol Properties

Complexity:

• Round complexity: O(1)

• Comp. complexity: O(log2(m)) = O(lm)


Outline

Introduction



Conclusion

References


SC-Protocol by Garay et al.

• Inputs are given as sequences of bits:

x = xlm−1, ..., x0

y = ylm−1, ..., y0

• compute x > y with the following recursion:

SC-Protocol by Garay et al.

1. t0 = 0

2. ti+1 = (1− (xi − yi)2)ti + xi(1− yi)

3. tlm is the output bit

Example

m = 8→ lm = 3x = 5 = 101y = 3 = 011


Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t0 0


Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t1 0


Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t2 0


Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t3 1


Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

or 1


Complexity

Presented algorithm:

• Round complexity: O(lm)

• Comp. complexity: O(lm)

Variation exits with:

• Round complexity: O(log(lm))

• Comp. complexity: O(lm)


Outline

Introduction



Conclusion

References


Influence Input Size

0 10 20 30 40 50 600

50

100

150

input size (bit)

runti

me

(s)

Kersch. et al.

Nergiz et al.

Garay et al.



0 10 20 30 40 50 600

2

4

6

input size (bit)

runti

me

(s)

Kersch. et al.

Nergiz et al.


Keysize Influence

SC-Protocol / Keysize 512Bit 1024Bit 2048Bit 4096Bit

Kersch. et al. 0,047s 0,073s 0,293s 2,026s

Nergiz et al. 0,216s 0,989s 7,182s 54,123s

Garay et al. 5,143s 14,652s >6h -

Table : Runtimes with 16Bit input size


Outline

Introduction



Conclusion

References


Secure Two-Party Bartering Protocol

• Two parties want to exchange goods or services

• Privacy preserving: keep the inputs private at all times

• Existence of a potential trade: calculate exchange rates


Bartering Setting

• Publicly known list of commodities C

• Input of every party:• Desired commodity cd at minimum quantity qd• Offered commodity co at maximum quantity qo

: { , , , , , , }

:

:

: 3

: 10

:

:

: 6

: 2


Protocol Structure

1

2

3

1 Do the desired and offered commoditiesmatch?

• Private Equality Test

2 Do the desired and offered quantitiesmatch?

• 2x Secure Comparison

3 If both match:• Calculate exchange rates:• 2x Secure Comparison


Outline

Introduction



Conclusion

References


Support for Binary SC-Protocols

1. qo and qd are given as bitsequences instead of integers

2. Switch x and y to compute x < yinstead of x > y

3. Share the encrypted output bit

4. proof security of the newprotocol in the semi-honestmodel


Outline

Introduction



Conclusion

References


Runtime commodity matching

0 1,000 2,000 3,000 4,0000

5

10

15

no. commodities

runti

me

(s)



0 10 20 30 40 50 600

200

400

600

800

1,000

1,200

input size (bits)

runti

me

(s)

Kersch.(no trade)

Kersch. (trade)

Nergiz (no trade)

Nergiz (trade)

Garay (no trade)

Garay (trade)



0 10 20 30 40 50 600

10

20

30

40

input size (bits)

runti

me

(s)

Kersch.(no trade)

Kersch. (trade)

Nergiz (no trade)

Nergiz (trade)


Outline

Introduction



Conclusion

References


Realistic Bartering Scenario

• Bartering is a common practice between small companies for tradingotherwise idle resources

• A keysize of 1024 Bit gives sufficient security

• Parties agree on a publicly known list of commodities with 20 entries

• Max. input size lm is set to 10 Bit (m = 1024)

SC-Protocol no-trade trade avg.

Kersch. et al. 0,53s 1,87s 1,25s

Nergiz et al. 1,58s 5,34s 3,43s

Garay et al. 18,38s 54,65s 35,57s

Table : Runtimes of the Bartering Protocol


Outline

Introduction



Conclusion

References


Conclusion

Binary SC-Protocols scale worse than Arithmetic SC-Protocols in thesemi-honest model regarding:

• Input size

• Comp. complexity (keysize)

• Round complexity (latency)

In the context of a realistic bartering scenario, the performance is stillreasonable:

• Binary SC-Protocols suitable for small input parameters

Binary SC-Protocols might perform better in the malicious model in thecontext of the bartering protocol:

• Arithmetic SC-Protocols might have a lot more overhead for securityin the malicious model


Are there any questions?


Implementation Overview

Figure : Impl. using the SMC-MuSe Framework [Neugebauer et al., 2013]


Outline

Introduction



Conclusion

References


References I

Garay, J., Schoenmakers, B., and Villegas, J. (2007).Practical and Secure Solutions for Integer Comparison.Public Key Cryptography – PKC 2007, 4450:330–342.

Mayer, D., Wetzel, S., Meyer, U., and Stefan, W. (2014).A Secure Two-Party Bartering Protocol Using Privacy-PreservingInterval Operations.pages 57–66.

Mayer, D. a. (2012).Design and Implementation of Efficient Privacy-Preserving andUnbiased Reconciliation Protocols.

Nergiz, A. E., Nergiz, M. E., Pedersen, T., and Clifton, C. (2010).Practical and secure integer comparison and interval check.Proceedings - SocialCom 2010: 2nd IEEE International Conference onSocial Computing, PASSAT 2010: 2nd IEEE International Conferenceon Privacy, Security, Risk and Trust, pages 791–799.


References II

Neugebauer, G., Meyer, U., and Wetzel, S. (2013).SMC-MuSe: A Framework for Secure Multi-Party Computation onMultiSets.43th GI-LNI Informatik, (December).

Schoenmakers, B. and Tuyls, P. (2006).Efficient binary conversion for Paillier encrypted values.Lecture Notes in Computer Science (including subseries Lecture Notesin Artificial Intelligence and Lecture Notes in Bioinformatics), 4004LNCS:522–537.

Wueller, S., Meyer, U., Forg, F., and Wetzel, S. (2015).Privacy-Preserving Conditional Random Selection Extended Version.


bachelor thesis - presentation

Documents