![Page 2: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/2.jpg)
Scenario 1: Love Game
Alice and Bob meet at a pub
If both want to date , they will find out
If Alice doesn’t want to date, she won’t learn his intention
If Bob doesn’t want to date, he won’t learn her intention
• One solution: a trusted person
![Page 3: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/3.jpg)
Scenario 2: Finding Potential Terrorists
Intelligence agencies holds lists of potential terrorists
They like to compute the intersection
Any other information must remain secret
One solution: use a trusted party
MossadMI5 FBI
![Page 4: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/4.jpg)
Scenario 3: Face Recognition
Bob owns a list of face images, and Alice owning one face image is interested in knowing whether this image belongs to Bob list or not.
The output will be 1 (or ID of corresponding match), or zero (if no match).
• one solution: use a trusted party.
4
![Page 5: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/5.jpg)
Scenario 4: Auction
Several parties wish to execute a private auction.
The highest bid win.
Only the amount of highest bid (and bidder) is revealed.
• One solution: use trusted auctioneer
![Page 6: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/6.jpg)
Scenario 5: Distributed Data Clustering
Two (or more) agents are willing to construct a data clustering algorithm on whole of their data, without revealing their datasets.
All agents obtain the structure of clustering algorithm built on whole data, but not the inputs of others.
• One solution: use trusted party.
6
![Page 7: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/7.jpg)
Secure Multiparty Computation
In all scenarios the solution of an external trusted third party works.
Trusting a third party is a very strong assumption.
Can we do better?
We would like a solution with the same security guarantees, but without using any trusted party.
![Page 8: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/8.jpg)
Goal: use a protocol which works without the presence of trusted party
MossadMI5FBI
X X
X X
![Page 9: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/9.jpg)
Setting
Party 𝑃𝑖 (1 ≤ i ≤ n) has private input 𝑥𝑖.
The parties wish to jointly compute a (known) function𝑦 = 𝑓 (𝑥1, … , 𝑥𝑛).
The computation must preserve certain security properties,even is some of the parties collude and maliciously attackthe protocol.
This is generally modeled by an external adversary 𝒜 thatcorrupts some parties and coordinates their actions.
![Page 10: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/10.jpg)
Security Requirements
Correctness: parties obtain correct output .
Privacy: only the output is learned.
Independence of inputs: parties cannot choose their inputs as a function of other parties’ inputs.
Fairness: if one party learns the output, then all parties learn the output.
Guaranteed output delivery: all honest parties learn the output.
![Page 11: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/11.jpg)
The Security Requirements of Auction Example
Correctness: 𝒜 can’t win using lower bid than the highest.
Privacy: 𝒜 learns the highest bid out of all inputs, nothingelse.
Independence of inputs: 𝒜 can’t bid one dollar more thanthe highest (honest) bid.
Fairness: 𝒜 can’t abort the auction if his bid isn’t thehighest (i.e., after learning the result).
Guaranteed output delivery: 𝒜 can’t abort (stronger thanfairness, no DoS attacks).
![Page 12: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/12.jpg)
Attack Scenarios
• Chosen-Plaintext Attack (CPA): In this attack, the adversary has the abilityto obtain the encryption of any plaintext(s) of its choice. It then attemptsto determine the plaintext that was encrypted to give some otherciphertext.
• Chosen-Ciphertext Attack (CCA): The other type of attack is one where theadversary is even given the capability to obtain the decryption of anyciphertext(s) of its choice. The adversary's aim, once again, is then todetermine the plaintext that was encrypted to give some other ciphertext(whose decryption the adversary is unable to obtain directly).
12
![Page 13: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/13.jpg)
13
Homomorphic Encryption
![Page 14: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/14.jpg)
Homomorphic Encryption
Homomorphic encryption is a form of encryption that allowscomputation on ciphertexts, generating an encrypted result that whendecrypted it matches the result of the operations as if they had beenperformed on the plaintext.
14
![Page 15: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/15.jpg)
Number Theory
![Page 16: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/16.jpg)
RSA: Multiplicative Homomorphism
16
![Page 17: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/17.jpg)
Key Generation:
17
![Page 18: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/18.jpg)
Decryption
18
![Page 19: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/19.jpg)
Security of RSA
• CPA: RSA encryption is deterministic encryption algorithm (i.e. has norandom component). Hence, an attacker can successfully launch achosen plaintext attack by encrypting likely plaintexts under thepublic key and test if they are equal to the ciphertext.
• CCA: Because of multiplicative property of RSA, it is not secureagainst CCA attack as well.
19
![Page 20: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/20.jpg)
ElGamal: Multiplicative Homomorphism
20
![Page 21: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/21.jpg)
Decryption
21
![Page 22: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/22.jpg)
Security of ElGamal
• CPA: Elgamal encryption scheme provides semantic security againstchosen-plaintext attack resulting from random component.
• CCA: Because of multiplicative property of ElGamal, it is not secureagainst CCA attack. For example, given an encryption (𝑐1, 𝑐2) ofsome message 𝑚 , one can easily construct a valid encryption(𝑐1, 2𝑐2) of message 2𝑚.
22
![Page 23: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/23.jpg)
Paillier: Additive Homomorphism
23
![Page 24: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/24.jpg)
Encryption
24
![Page 25: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/25.jpg)
DecryptionNumber Theory
Carmichael’s Theorem:
![Page 26: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/26.jpg)
Paillier Encryption SchemeKey generation and Encryption
![Page 27: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/27.jpg)
Decryption
![Page 28: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/28.jpg)
Homomorphic Properties
28
![Page 29: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/29.jpg)
Security of Paillier
• CPA : Paillier encryption scheme provides semantic security againstchosen-plaintext attack. The ability to successfully distinguish thechallenge ciphertext essentially amounts to the ability to decidecomposite residuosity. The semantic security of the Paillierencryption scheme was proved under the decisional compositeresiduosity (DCR) assumption—the DCR problem is intractable.
• CCA: Paillier encryption is malleable and therefor does not protectagainst chosen-ciphertext attack.
29
![Page 30: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/30.jpg)
31
Secure Multi-party Computation Protocols
![Page 31: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/31.jpg)
Scenario 1:Love Game
32
![Page 32: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/32.jpg)
Love Game
• The game is actually multiplication.
![Page 33: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/33.jpg)
Additive Homomorphic ElGamal Cryptosystem
Additively homomorphic ELGamal
![Page 34: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/34.jpg)
Secure Multiplication with plaintext input
![Page 35: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/35.jpg)
References
• Essential-reading:
• Berry Schoenmakers, Lecture Notes Cryptographic Protocols, Chapter 7.
• Recommended reading
• Oded Goldreich, Foundations of Cryptography, volume 2 Basic Applications, Chapter 7, Cambridge University Press, 2004.
![Page 36: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/36.jpg)
Scenario 2: Finding Potential Terrorists
38
MossadMI5 FBI
![Page 37: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/37.jpg)
Finding Potential Terrorists:
• The problem is actually a set intersection.
3939
![Page 38: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/38.jpg)
Secure Equality Test Protocol
41
![Page 39: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/39.jpg)
Secure Set Intersection Protocol
43
![Page 40: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/40.jpg)
References:
• Michael Freeman, Kobbi Nissim, Benny Pinkas, Efficient Private Matching and SetIntersection, Eurocrypt 2004, pp 1-19.
44
![Page 41: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/41.jpg)
45
Scneario 3:Face Recognition
![Page 42: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/42.jpg)
Face Recognition
Database
Alice Bob
Is he a criminal?
Yes, ID/No
Processing
• Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, R. L. Lagendijk and T. Toft, Privacy- Preserving Face Recognition, 9th International Symposium on Privacy Enhancing Technologies, LNCS 5672, pp. 235-253, August 2009.
46
![Page 43: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/43.jpg)
considering Privacy
Database
Alice Bob
Is he a criminal?
[Yes], [ID]/[No]
Processing
47
![Page 44: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/44.jpg)
Eigenface Algorithm
48
![Page 45: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/45.jpg)
Secure Face Recognition
• Setting:• Customer (Alice) has an input image and her encryption key.
• Service Provider (Bob) has an image database of criminals. Bob represents each criminal with a feature vector and has the eigenvectors to produce the feature vector of a new input image.
• Security assumptions:• Alice and Bob are semi-honest.
49
![Page 46: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/46.jpg)
Projection in the encrypted domain
Input image
Alice Bob(sk) (pk)
Feature vectors in a database
Encrypted pixel values
Apply projection and obtain the feature vector of the input image.
50
![Page 47: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/47.jpg)
Euclidean Distance
Secure Multiplication
Protocol!
Homomorphism
Alice Bob(sk) (pk)
51
![Page 48: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/48.jpg)
Secure Multiplication Protocol
Alice Bob
52
![Page 49: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/49.jpg)
Finding the minimum
Alice Bob(sk) (pk)
Find the minimum squared distance!
But…
53
![Page 50: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/50.jpg)
Which one has more money?!
A = how much money user1 has
B = how much money user2 has
User 1 if A>B
Equal if A=B
User2 if A<B
Secure Comparison
54
![Page 51: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/51.jpg)
Finding the Minimum: Comparison
55
10
14 a < b
a > b
a < b0 a > b 1
![Page 52: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/52.jpg)
Interactive GameAlice Bob
56
![Page 53: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/53.jpg)
Comparison
57
![Page 54: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/54.jpg)
Comparison Protocol
• Alice computes the 𝑒 values in the encrypted domain and sends them to Bob after shuffling.
• Bob decrypts 𝑒 values and checks if there is any zero among them: if yes, sends [1], otherwise [0].
• Alice uses the response from Bob for the final step to compute the outcome of the comparison.
58
![Page 55: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/55.jpg)
Finding the minimum
[8] [7] [2] [10][4] [9] [1] [5]
a>b? 1:0
[1] [0]
[4]
[1] [0]
[2]
[1] [0]
[9]
[0] [1]
[1]
[1] [0]
[2]
[0][1]
[1]
[1][1] [0]
[min]=[b R+ a(1-R)]
59
![Page 56: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/56.jpg)
References
• Essential reading:
• Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, R. L. Lagendijk and T. Toft, Privacy- Preserving FaceRecognition, 9th International Symposium on Privacy Enhancing Technologies, LNCS 5672, pp. 235-253, August 2009.
• P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In J. Stern,editor, Advances in Cryptology — EUROCRYPT ’99, volume 1592 of LNCS, pages 223–238. Springer,May 2-6, 1999.
• Nigel Smart’s book, chapter 1.
• Recommended reading
• Vladimir Kolesnikov, Ahmad-Reza Sadeghi, Thomas Schneider: Improved Garbled Circuit BuildingBlocks and Applications to Auctions and Computing Minima. CANS 2009: 1-20
• Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg: Efficient Privacy-Preserving FaceRecognition. IACR Cryptology ePrint Archive 2009: 507 (2009)
60
![Page 57: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/57.jpg)
Scenario 4: Private Auction
61
![Page 58: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/58.jpg)
Auction: Finding the maximum
[8] [7] [2] [10][4] [9] [1] [5]
a>b?1:0
[0]
[8]
[1] [0]
[7]
[1] [0]
[10]
[0] [1]
[5]
[1] [0]
[8]
[0][1]
[10]
[10][1] [0]
62
[1]
![Page 59: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/59.jpg)
Scenario 5: Distributed Data Mining
63
![Page 60: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/60.jpg)
Data Mining Operations
64
Mining Operations
![Page 61: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/61.jpg)
Collaborative Analysis
65
![Page 62: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/62.jpg)
Horizontal Data Distribution:Example: Hospital and Health Center.
6666
![Page 63: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/63.jpg)
Vertical Data Distribution:Example: Facebook and Google accounts.
67
![Page 64: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/64.jpg)
Categorical Clustering Tree (CCTree)
68
![Page 65: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/65.jpg)
CCTree Criteria
Stop Conditions:
1) Number of elements in a node
2) Node purity
Split Attribute
69
CC
Tree
Constru
ction
![Page 66: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/66.jpg)
Shannon Entropy
70
![Page 67: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/67.jpg)
71
Secure Sum (1):
Distributed Secure Sum Protocol
![Page 68: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/68.jpg)
Secure Sum (2):Secret Sharing and HE
• First protocol for data aggregation
• Additive homomorphic encryption
• Secret sharing over mod n
• Interactive
![Page 69: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/69.jpg)
Alice
Bob
Charles
![Page 70: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/70.jpg)
Alice
Bob
Charles
mAA
mBB
mCC
![Page 71: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/71.jpg)
Alice
Bob
Charles
![Page 72: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/72.jpg)
Alice
Bob
Charles
![Page 73: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/73.jpg)
Alice
Bob
Charles
mAA + mBA + mCA
mBB + mAB+ mCB
mCC + mAC+ mBC
![Page 74: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/74.jpg)
Alice
Bob
Charles
![Page 75: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/75.jpg)
CCTree/ Horizontal/ Multi-Party
Split Attribute (Secure Sum)
Stop Conditions:
1) Number of elements (Secure Sum)
2) Node purity (Secure Entropies Addition)
79
![Page 76: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/76.jpg)
CCTree/ Vertical/ Multi-Party
Split Attribute (Secure Comparison)
Stop Conditions:
1) Number of elements (Secure Sum)
2) Node purity (Secure Entropies Addition)
80
![Page 77: Secure Multi-Party Computation › ~msheikhalishahi › MPC.pdf · Attack Scenarios •Chosen-Plaintext Attack (CPA): In this attack, the adversary has the ability to obtain the encryption](https://reader031.vdocuments.net/reader031/viewer/2022011904/5f1e08d03c5f195f1b7737da/html5/thumbnails/77.jpg)
References
• Kursawe, K., Danezis, G., Kohlweiss, M.: Privacy-Friendly Aggregation for the Smart-Grid. In:Fischer-Hubner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 175–191. Springer,Heidelberg (2011)
• Garcia, F.D., Jacobs, B.: Privacy-Friendly Energy-Metering via Homomorphic Encryption. In:Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 226–238. Springer, Heidelberg (2011)
• Rashid Sheikh, Beerendra Kumar, Durgesh Kumar Mishra, A distributed k-secure sumprotocol for secure Multi Party Computation, Journal of Computing, vol.2, issue 3, 2010
• Sheikhalishahi, M., Martinelli, F., Privacy Preserving Clustering over Horizontal and VerticalPartitioned Data, ISCC2017, 2017
81