Cryptography: on the Hope for
Privacy in a Digital World
Omer Reingold
VVeizmann and Harvard CRCS
1
So, is there Hope for Privacy?
•
No! Privacy is doomed! Enjoy your sandwiches …
: Is this what we
invited you for?
•
On second thought, the digital world gives new hope for privacy!
–
Selling digital goods (w/ Bill Aiello
and Yuval Ishai)
–
Keyword database search (w/ Mike Freedman,
Yuval Ishai, and Benny Pinkas)
2
Day to Day Breaches of Privacy
•
When/how can it be better?
3
Anonymity?
Alice
Not in this Talk!
I can call you Betty,
And Betty, when you call me,
you can call me Al!
Bob
Call me Al ......
4
Selling Digital Goods
•
How good are digital goods?
– Entertainment: TV, music, video, books, software
– Business: news, stock quotes, patents, layoff rumors
– Research: papers, research databases, clip-art
•
What’s special about digital goods?
– Typically of unlimited supply (easy to duplicate).
– Easy to communicate and manipulate
•
Main goal: protect the privacy of clients
– What
– When
– How much
– (But not who)
5
Example
Encrypted Individually
‘
’,
Vendor
Buyer
Key of
6
Oblivious Transfer (OT) [R], 1-out-of-N [EGL]:
–
X1 X2 X3 X4
Input:
• Vendor: x1,x2,…,xn
• Buyer:
–
…
Xn
j
1≤j≤n
Output:
• Vendor: nothing
• Buyer:
–
xj
Xj
Privacy:
• Vendor: learns nothing about j
• Buyer:
•
learns nothing about xi for i ≠ j
4
–
Not necessarily two messages
–
Related notions: Private Information Retrievable [CGKS] /
Symmetrically- Private Information Retrievable [GIKM]
7
Priced OT [AIR]
Vendor
Buyer
Initial payment $ b0
Set b=b0
Prices: p0=0, p1, p2 , … pn
Buyer
i
ki
Items: k0, k1, k2, … kn
Vendor
b← b - pi
8
Comparison with E-cash [Cha85,CFN88,...]
E-cash
Payment
Goods
Hides
Access to goods
Buyer
Priced OT
digital
any
who
anonymous
any
digital
what +
any
Vendor
9
General Perspective
•
Priced OT is an instance of secure two-party
computation.
•
Theoretical plausibility result are known [Yao,GMW].
•
However: General solutions are costly (computation,
bandwidth, rounds).
•
A major endeavor in cryptography: Identifying
interesting specific problems and suggesting more
efficient solutions.
10
Tool: Homomorphic Encryption
Plaintexts from (G,+)
•

E(a),E(b)  E(a+b)
E(a),c  E(c·a)
• |G| large prime
• Can use either additive G=ZP or multiplicative GZ*P
• In particular, can use El-Gamal.
11
Conditional Disclosure of Secrets [GIKM,AIR]
E(q),pk
Buyer
(sk,pk)
•
•
Vendor
E(CDS(
E(a) a ; V(q) ))
a
Honest Buyer: V(q) = True
How to protect against a malicious Buyer?
– Method 1: Buyer proves in ZK that V(q) = True;
– Method 2: Vendor disclose a subject to the
condition V(q) = True.
• Notation: CDS( a ; V(q) )
12
Conditional Disclosure of Secrets - Implementation
E(q),pk
Buyer
(sk,pk)
Vendor
E(CDS( a ; V(q) ))
a
a,q,i G
CDS(a ; q=i)
: a+r(q-i)
r R{1,…,|G|}
E is homomorphic - E(CDS( a ; V(q) )) can be computed
from E(q)
•
Information-theoretic security for Vendor (hides a).
•
Need to verify “validity” of pk; Easy for El-Gamal!
13
Application: 1-Round OT* [AIR,NP]
Buyer
Vendor
E(q),pk
q (sk,pk)
x1 x2
xn
E(CDS(x1 ; q =1)), … , E(CDS(xn ; q =n))
* Weakened / incomparable notion of security vs. simulation:
• Vendor’s security: purely information-theoretic
• Buyer’s security: privacy only.
14
Database Search
•
OT/PIR/SPIR allow to privately retrieve the ith entry of a
database. Efficiency depends linearly (at least) on the
size of the database.
•
Sometime this is not enough. For example, consider a
list of fraudulent card numbers. A merchant wants to
check if a particular number is in the least.
•
Use OT/PIR?
–
•
Table of 1016 ≈ 253 entries, 1 if fraudulent, 0 otherwise?
Works on supporting more general database search.
15
Keyword Search (KS): definition
•
Input:
–
–
•
Server: database X={ (xi,pi ) } , 1 ≤ i ≤ N
• xi is a keyword
(e.g. number of a corrupt card)
• pi is the payload
(e.g. why card is corrupt)
Client: search word w
(e.g. credit card number)
Output:
–
Server: nothing
– Client:
• pi if  i : xi = w
Server: (x1,p1) (x2,p2)
Client:
w
…
(xn,pn )
Client output: (xj ,pj ) iff w=xj
• otherwise nothing
16
Conclusions
•
Our expectation of privacy in the
“digital world” should not be bounded to our
“physical world” experiences.
•
The ability to duplicate, manipulate and
communicate digital information is key.
•
Very powerful cryptographic tool in the form of
secure function evaluation.
•
Research on efficient instantiations, possibly
with some security relaxations.
17