procesamiento seguro de señales en la nube: habilitando tecnologías para la preservación de la...
Post on 23-Jan-2018
559 Views
Preview:
TRANSCRIPT
Dr. Juan R. Troncoso Pastorizatroncoso@gts.uvigo.es
Secure Signal Processing in the CloudEnabling technologies for privacy-preserving multimedia cloud processing
Innovación en ciberseguridad aplicada a la protección de la identidad digital #CIGTR2015
Del 6 al 8 de julio
Madrid (Campus de Aranjuez, URJC)
�Cloud and Privacy
�Secure Signal Processing
�Practical SSP Cloud Scenarios
�Measuring Privacy� Privacy metrics and Notions
�Getting Practical: Privacy tools from SSP� Lattice Crypto and Homomorphic Encryption
�Mapping Complex to Real Solutions� Cipher Blow-up, Accuracy and Trade-offs
�Practical Applications
�Further info
Outline
�Cloud Computing Paradigm
� Benefits (Ubiquitous Access, scalability, multi-tenancy,…)
�Multimedia Clouds
� Amenable to distributed processing
� Content delivery networks
� Server-based computing
� P2P Multimedia computing
�Multimedia-aware Clouds
�Cloud-aware Multimedia
�Privacy risks
Multimedia Clouds
�Security aspects
� Authentication
� Storage Encryption
� Encrypted communications
�Privacy aspects
� Geo-localization
� Privacy legislations in different countries
� Risk of losing control over outsourced data and processes
� Trustworthiness of the Cloud
� Privacy invasion (e.g., personalized ads)
Cloud and Privacy
Privacy ≠ Security
8
Privacy in Signal Processing
� Signal Processing deals with representation, analysis, transmission and restoration of signals
� Legal framework: EU Privacy Regulations� Directive 95/46/EC
� Article 8 of the E.C. for the Protection of Human Rights and Fundamental Freedoms
� Upcoming DP EU regulation (draft)
� Privacy in SP is a very broad and transversal subject
� Currently, privacy is mainly guaranteed through written consents
� An automated mechanism is needed to enforce privacy in two levels:� Signal privacy
� Process privacy
� Examples of services and outsourced processes with private or sensitive signals� eHealth: semi-automated diagnosis or decision support (MRI, ECG, DNA,…)� Social media / social data mining� Smart metering: use of fine-grained metered data� Biometrics: outsourcing of authentication/identification processes (fingerprints,
faces, iris)� Banking and financial information� Large scale/big data processing with sensitive data (social data, personal
information, business-critical processes)
� Current situation: Non-proportional collection or usage leads to unjustified user profiling
� SSP mission: enable secure services with� Integration of data protection supported by core technologies (efficient
homomorphic processing, SMC, searchable encryption)� Versatile, flexible and efficient solutions� No impairment for service providers� Privacy guarantees and privacy management
Secure Signal Processing
�Secure Signal Processing (SSP) or Signal Processing in theEncrypted Domain (SPED)
� Marriage of Cryptography and Signal Processing
� Efficient Solutions for Privacy Problems in SP
� Traditional cryptography can protect data during communicationor storage, but it cannot prevent the access to the data whenthey are sent to an untrustworthy party. Through advancedencryption techniques, SSP provides means to process signalswhile they are encrypted, without prior decryption and withoutthe decryption key, thus enabling fully secure services like Cloudcomputing over encrypted data.
Secure Signal Processing
�Outsourced Biometric Recognition
SSP Privacy-aware scenarios
Biometric Features
(Private)
Biometric Access
Control
Recognition
Results
Outsourced
Recognition
Logic
Outsourced Biometric
Templates Database
(Private)
Untrusted Cloud
�Outsourced e-Health
SSP Privacy-aware scenarios
Untrusted Cloud
Health Institutions
Outsourced Medical
Database (Private)
Laboratory/
Analysis Center
Patient
DataResults
Private Query
�Adaptive filtering: Outsourced control
SSP Privacy-aware scenarios
Plant sensed signals (Private)
Plant (Private)
Control Signals
Outsourced
Adaptive
Control
Plant input signals (Private)
Reference
Model (Private)
Untrusted Cloud
SSP Cloud Scenarios
�General Scenario
� Set of mutually untrusted parties ��, … , ��� Private inputs ��, … , ��
�Target: evaluate ����, … , ��with no trusted parties.
�Cloud Scenario:
Cloud(Untrustworthy)
�Trust and adversary models
� Semi-honest adversaries
� Malicious adversaries
�Typicially, semi-honest with malicious extensions
�Privacy framework
� Means to quantify privacy and information leakage
� Evaluate privacy level
� Assess privacy requirements
�Privacy Metrics: Cryptography vs Signal Processing
� Complexity theory vs information theory
Measuring Privacy
�Privacy Properties:
� Anonymity: hiding link between identity and action/piece of information
� Pseudonimity: use of pseudonyms as IDs (one or multipleidentities)
� Unlinkability: hiding the link between two or more actions/identities/pieces of information
� Unobservability: hiding user activity
� Plausible deniability: impossible to prove a user knows or didsomething
Measuring Privacy
�Privacy metrics
� Target: given an observation by an attacker, measure itsestimation error
�Dalenius, 1977: first probabilistic notion of “disclosure”
� in order to avoid disclosures from a given database: “nothing about an individual that could not be learned without access to the database should be learnable from the database”
�Dwork, 2006: No useful database can fulfill 0-disclosure
� (Attribute) “Non-privacy”: A computationally bounded adversary can disclose (1- ε) fraction of the database entriesfor any ε>0
Measuring Privacy
�ε-differential privacy
� � Κ �� ∈ � ��� Κ �� ∈ , ⊆ ��
� (ε,δ)-differential privacy
� � Κ �� ∈ � ��� Κ �� ∈ � �, ⊆ ��
Differential Privacy
x f(D1)f f(D2)f
D1 D2
Κ ΚΚ(D1) Κ(D2)
�Obfuscation mechanisms for ε-differential privacy
� Noise function of the sensitivity of f
�� � �����,��| � �� � � �� |�
��~!�"�#$
�
� More sensitivity -> Higher noise level -> Reduced utility
Differential Privacy
x f f
D1 D2
Κ ΚΚ(D1) Κ(D2)
n n
Κ(D1) Κ(D2)
�Other metrics
� Information theoretic
�Secure information flow: seeks lack of leakage (non-interference)
�Shannon-entropy (average error)
�Min-entropy (worst-case error)
� Based on Bayes risk
� Anonymity-based
�K-anonymity, l-diversity: hide a user in a population
� Likelihood-based
�Mean square error (estimation error)
�No convention on the best metric: case-dependent
Measuring Privacy
�Available SSP tools to produce privacy-preserving systems
� SMC (Garbled Circuits)
� Homomorphic Encryption (FHE, SHE)
� Searchable Encryption and PIR
� Secure (approximate) interactive protocols
� Obfuscation mechanisms (diff. private)
Privacy Tools from SSP
�Computing models
� Boolean Circuits
� Arithmetic Circuits
� Hybrid Approximation
�Primary concern: Protection of private information
� Based on hard problems (traditional cryptography and securecryptosystems and hash functions)
� Adversary Model (active, pasive, rational)
� Possibility of collusion between corrupted parties
Secure Multiparty Computation (SMC)
Binary SMP Protocols
�Based in Yao’s garbled circuits: Obfuscated replica of the original circuit
�Phases:
� Build the circuit gates(garbling: hashing and permutations)
� Send the circuit
� Oblivious transfer of the inputs
� Evaluation: sequential pseudo-decryption
�Secure against passive adversaries (cut-and-choose)
�Efficient execution, versatile
�Communication Overhead
Secure Multiparty Computation
�First commercial practical use
� January 2008: SMC in Denmark national auction for market price of sugar beet (1200 farmers).
� Sell prices hidden and protected
� It does not require a trusted third party
� Protocol lasted 30 minutes (run once a year)
Homomorphic Encryption
�Fundamental idea (group homomorphisms):
� ��, � ⟶&' �(,∘
� *+ � � , � *+ � ∘ *+�, �./��
�Example: RSA (multiplicative)
� *+ � � �0 �./�
� �� 1 ,0� �0 1 ,0 �./�
�Example: Paillier (additive)
� *+ � � 1 � � 1 � 1 3��./��
� *+ � � , � *+ � 1 *+�, �./��, *+ � 1 4 � *+��
+�./��
�Cryptosystems with semantic security (IND-CPA)
��, � ⟶&' �(,1
��,1 ⟶&' �(,1
Homomorphic Encryption
�Efficient Communication
�Challenges
� Computation overhead
� Cipher expansion
� Versatility (only additions or multiplications)
�Somewhat and Fully Homomorphic Cryptosystems (SHE/FHE)
�Lattice Crypto: promise for post-quantum crypto
� Security based on worst-case assumptions
�Example: GGH (Goldreich, Goldwasser, Halevi) family
� Two lattice bases
�“Good” basis (5, private key)
�“Bad” basis (6, public key, Hermite Normal Form)
� Encryption of �: 7 � * � � 8 � 9:�; (lattice point + noise)
� Decrytion: � < : 8> � 5 5?�<
� Homomorphism:
�<� � <� � 8� � � �� � 8� � � �� � 8@ � � �� ���
Lattice Crypto and FHE/SHE
Gentry’s Lattice-based SHE Cryptosystem
�Gentry’s somewhat homomorphic cryptosystem
� Can execute a limited-depth circuit, binary inputs
� How to get unlimited homomorphic operations?
�Decrypt under encryption
�Squash of decryption circuit to fit homomorphic capacity
Fresh Encryption
Noise norm growsafter homomorphic
operations
Decryption Radius:Homomorphic “capacity”
Non-fresh Encryption:after homomorphic op.
Coded message+ random noise
Gentry’s Cryptographic Bootstrapping• For a lattice-based cryptosystem
Bootstrapping for FHE
SHE ∑ (L)
Only valid when f is of depth < L
If Dec (squashed) has depth < L
FHE ∑
�Bootstrapping is costly
�SHE is more efficient and a perfect candidate for SSP
�A practical extension [TPFPG12]:
� Works with non-binary plaintexts (increases fresh encryptionnorm)
� Trades off full homomorphism for homomorphic capacity
� Keeps key generation procedure
� Negligible impact on decryption performance
SHE or FHE
�Searchable Encryption
� PEKS (Keyword Search)
� Encrypted keywords are associated with the (regular) criptotext
� It is possible to match encrypted keywords and search efficiently
�Private Information Retrieval (PIR)
� Alice asks for an element �A from Bob’s database
� Bob sends �A without knowing B
� Simple example with HE
Searchable Encryption and PIR
C �*+� *+� *+�
*+�
Obfuscation mechanisms
�Adding noise to get private outputs (DP)
�Very low overhead
�Reduced utility
� In an untrusted environment, they must be combined with encryption
Wrap-up
�There are only limited (secure) privacy homomorphismsknown
�The limitations of HE can be tackled through interaction (non-colluding parties)
�Solutions for complex operations
� Specific interactive protocols
� Hybrid protocols homomorphic/garbled circuits
�Full Homomorphisms (allowing any function) are not practical…yet
� Hot research topic
�Privacy⇒ Overhead
� Computational load
� Communication cost (bandwidth, rounds)
�Cloud Scenario Limitations
� Bandwidth of customer-cloud link
� Computational overhead on the client
� Multi-user settings
�Main challenge
� Efficient specific combination of techniques
� HE + cipher blow-up
Practical limitations
�Example of ubiquitous SP function: adaptive filtering
� LMS filter
�,+ � E+FG+, E+H� � E+ � I 1 G+�/+ � ,+
0'
� Privacy-preserving implementation only with additive HE
� Inputs must be quantized before encryption (factor Δ)
� After 4 iterations⇒ factor Δ+H�
� For inputs in �1,1
�The cipher blows in k �KLM �
KLM #� 2 iterations
� HE is not enough to cope with ciper blow-up
Practical limitations: LMS
�Quantization (encryption) or noise (obfuscation) affectsaccuracy and utility⇒ privacy vs utility
� Interplay between communication, computation and accuracy
� Cipher expansión (Paillier): 4096 bits / 16 bits
�Mitigated by SIMD packing strategies
� Cipher blow-up
�Solved through a secure rescaling primitive (interactive)
Practical limitations: tradeoffs
�General tradeoff: privacy-utility-efficiency
�Cost function per application
�The privacy-preserving solution must optimize the costfunction
Practical limitations: tradeoffs
privacy
utility efficiency
�Private Interference Cancellation
�Private Adaptive Beamforming
�Private Model-Reference Adaptive Control (MRAC)
�Private Noninteractive Face Verification
Example Applications
43
CAGCTGCTTACC
Genetic disease pattern
ACGATGCTAGCTCCTGGCTCGAGATCGATCGCTAGCAGCTCGCATCCAGCTGCTTACCATCGCAGCCAGACTAGCTAGCCTACAACTACGCATCGACATCGCATGACCCGCTCGAAT
Patient’s genetic sequence
Example of secure DNA Query: approximate search
Patient
ExpertSystem
The system leaksPatient’s DNA
Traditional query system
Genetic disease pattern
Encrypted patient’s genetic code
Patient
ExpertSystem
Private Query System
SSP
The result is obtainedwithout disclosing patient’s DNA
CAGCTGCTTACC���������������������������������������������������������������������������������������������������������������������
Example: Architecture for Secure Medical Clouds
� Execution of calculations on Encrypted Data
� Interprets SSP primitives
� Models compiled to SSP primitives
� Keys needed for encryption & decryption of private data
� Cryptographic module
� Communication module
� Server-side data encryption
� Data off-line pre-processing
� Secure Storage of encrypted data
�Definition and quantification of privacy in a rich variety of Multimedia Cloud scenarios and complex functions� DP-preserving transformations
�Communication burden in the customer link� Unattended private processing (SHE)
�FHE in Cloud� Efficient private execution of non-polynomial functions
� Multi-user multi-key operation
�Searches in Cloud� PRISM: Encrypted Map-Reduce with PIR
�Resource utilization and billing
Current research lines and challenges in SSP for Cloud
Multi-client multi-keycomputing
• Privacy-aware Cloud Scenarios [vDJ10]
• Private single-client computing
• Private multi-client computing
• Stateful private multi-clientcomputing
• Not solvable with FHE alone
• Access control mechanism
• Multi-key operation
Solvable by FHE alone
Computing Server
CS
Encrypted Inputs
and Results Computing Server
CS
Encrypted Inputs
and Results
Computing Server
CS
Clear Inputs
and Results
Trusted Cloud
Encrypted Inputs
and Results
Multi-client multi-key computing
• Current approaches
1. Trusted element [BNSS11]
2. Multi-Server Secure protocol [PTK13]
3. Multi-key enabled FHE [LATV12]
• Leverage FHE bootstrapping as proxy-reencryption
• Approach between 2. and 3.
• Proxy reencryption
1. Full delegation
2. Delegation to Helper Server
3. Delegation to set of users
Helper Master
Cloud
Encrypted Inputs
and Results
Computing Server
CS
Secure
Protocol
Encrypted Inputs
and Results
Computing Server
Multi-key
FHE
Joint Decryption
Bootstrapping for proxy reencryption• Idea: bootstrapping into a different key
• Needed helper data: “encryption” of sk1 under pk2
Multi-key solution through bootstrapping
�SSP is not only targeted at Cloud
�Any untrustworthy distributed/outsourced environment
SSP for Other Applications
Electricity
Distribution
Grid
Electricity
Producer 1
Electricity
Producer 2
Electricity
Producer n
Grid Operator
Data
Aggregator
Communication
Network
Consumers
Consumers
Consumers
Smart Meters
Electricity FlowData Flow
Control/Signalling
Secure Signal Processing Publications• A. Pedrouzo-Ulloa, J.R. Troncoso-Pastoriza, and F. Pérez-González, “Multivariate Lattices for Encrypted
Image Processing”, in IEEE ICASSP 2015
• J.R. Troncoso-Pastoriza, S. Caputo, “Bootstrap-based Proxy Reencryption for Private Multi-user Computing”, IEEE WIFS 2014
• J. R. Troncoso-Pastoriza, D. González-Jiménez, and F. Pérez-González, “Fully Private Noninteractive Face Verification”, IEEE TIFS, vol. 8(7), 2013
• Z. Erkin, J.R. Troncoso-Pastoriza, R. Lagendijk, and F. Pérez-González, “Privacy-Preserving Data Aggregation in Smart Metering Systems: An Overview”, IEEE SPM, vol. 30(2), 2013
• J. R. Troncoso-Pastoriza and F. Pérez-González, “Secure Signal Processing in the Cloud: enabling technologies for privacy-preserving multimedia cloud processing”, IEEE SPM, vol. 30(2), 2013
• J. R. Troncoso-Pastoriza and F. Pérez-González, “Secure Adaptive Filtering”, IEEE TIFS, vol. 6(2), 2011
• J. R. Troncoso-Pastoriza and Pérez-González, F., “Secure and Private Medical Clouds using Encrypted Processing”, in Virtual Physiological Human (VPH), Brussels, Belgium, 2010
Related Patents• US Patents No. 8433925, 8837715, 8843762, 8972742
• US Patent Pending, No. 12/876229
• EPO Patent Pending, No. EP10175467
Further info
� RIA co-funded by the EU H2020 Programme
� A framework for end-to-end protection of data in untrusted and fast-evolving ICT-based environments, esp. Cloud
� Instantiated and validated in two application scenarios with demanding privacy requirements to protect sensitive data� Genomic processing� Financial calculations
� More info: http://witdom.eu
Ongoing related EU projects
empoWering prIvacy and securiTy in non-trusteDenvirOnMents
Dr. Juan R. Troncoso Pastorizatroncoso@gts.uvigo.es
http://gpsc.uvigo.es/juan-ramon-troncoso-pastorizaTwitter: @juanrtroncoso
Secure Signal Processing in the CloudEnabling technologies for privacy-preserving multimedia cloud processing
Innovación en ciberseguridad aplicada a la protección de la identidad digital #CIGTR2015
Del 6 al 8 de julio
Madrid (Campus de Aranjuez, URJC)
top related