bachelor thesis - presentation

Comparative Analysis of Binary and Arithmetic SecureComparison Operations in the Context of Bartering

Benjamin Assadsolimani

benjamin.assadsolimani@rwth-aachen.de

Research group IT-SecurityRWTH Aachen University

Matr. Nr.: 318173

01. September 2015

Thesis Overview

Analysis of Binary and Arithmetic Secure Comparison (SC) Operations:

Isolated Analysis

1. Implementation of the SC-Prot.:• Kerschbaum et al. (int)• Nergiz et al. (int)• Garay et al. (bit)

2. Performance analysis

Context Bartering Protocol

1. Implementation of the BarteringProtocol

2. Modification for binary supportand security analysis

3. Performance analysis of theBartering Protocol

4. Analysis of a realistic barteringscenario

Benjamin Assadsolimani 1/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 2/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 3/43

Secure Multiparty Computation

Secure Multiparty Computation (SMPC) allows a number of parties thejoint computation of a function over their private inputs.

Benjamin Assadsolimani 3/43

Adversary Models

• Passive adversary (semi-honest-model):• Follows the protocol specification• Attempts to learn private information of the other party from

participation

• Active adversary (malicious model):• Behaviour may arbitrarily deviate from the protocol specification

Benjamin Assadsolimani 4/43

Motivation

Thesis Goal

Should arithmetic or binary SC-Protocols be used for the barteringprotocol in the semi-honest case and when transferring it to the maliciousmodel

• Arithmetic SC-Protocols have a more complex structure:• semi-honest: allows for more efficient algorithms• malicious: more difficult to enforce a corrupted party to follow the

protocol

• Binary SC–Protocols have to iterate through every bit:• semi-honest: can not be as efficient as arithmetic SC-Protocols• malicious: much easier to enforce since only bit operations are used

Benjamin Assadsolimani 5/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 6/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 6/43

IC-Protocol by Kerschbaum et al.

Idea:

1. Subtract x and y using homomorphic addition

2. Sign of the difference determines whether x < y

3. Blind the difference with hiding factors r1 and r2

Additive Homomorphic Cryptosystem:

• Addition:

E(m1) · E(m2) = E(m1 + m2)

• Scalar Multiplication:

E(m1) · ... · E(m1) = E(m1)k = E(k ·m1)

Benjamin Assadsolimani 6/43

Negative Integer Representation

• Negative numbers not represented in modular arithmetic

• Cut plaintext space [0, n− 1] in half

-

pos. integers: lower half

neg. integers: upper half

Benjamin Assadsolimani 7/43

Protocol Execution

x

y

(x− y)

22− 24 ≡ 62

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4

Benjamin Assadsolimani 8/43

Protocol Execution

(x− y) · r162 · 8 ≡ 48

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4

Benjamin Assadsolimani 9/43

Protocol Execution

(x− y) · r1 + r2

48 + 4 = 52

Example

x = 22 r1 = 8 n = 64y = 24 r2 = 4

Benjamin Assadsolimani 10/43

Protocol Properties

Hiding Factors:

• Draw r1 such that there are no wrap arounds

• Draw r2 < r1 so it does not change the result

Complexity:

• Round complexity: O(1)

• Comp. complexity: O(1)

Security:

• Protocol has a small leak which occurs with a very minor probability

• Has been proven secure in the semi-honest model [Wueller et al., 2015]

Benjamin Assadsolimani 11/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 12/43

IC-Protocol by Nergiz et al.Idea:

• Upper bound m: x, y ≤ m• Represent integer values [0,m− 1] as a Perfect Binary Tree (PBT)

Figure : 3-Perfect Binary Tree for m = 8, lm = 3

Benjamin Assadsolimani 12/43

Input Representation

Covering Set:

• x is represented by a Covering Set (CS):

• CS(x) contains all nodes covering (0, x)

Representer Set:

• y is represented by a Representer Set (R):

• R(y) is the minimal set covering exactly the leaf nodes (0, 0), ..., (0, y)

Benjamin Assadsolimani 13/43

Covering Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Covering Set of leaf node (0, 2)

Benjamin Assadsolimani 14/43

Covering Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Covering Set= {(0, 2), (1, 1), (2, 0), (3, 0)}

Benjamin Assadsolimani 15/43

Representer Set

Figure : Representer Set of leaf set {(0, 0), ..., (0, 5)}

Benjamin Assadsolimani 16/43

Representer Set

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Representer Set= {(2, 0), (1, 2)}

Benjamin Assadsolimani 17/43

Protocol Execution

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Protocol Execution with x = 2, y = 5

Benjamin Assadsolimani 18/43

Protocol Execution

(3, 0)

(2, 0) (2, 1)

(0, 1) (0, 2) (0, 3) (0, 4) (0, 5) (0, 6) (0, 7)(0, 0)

(1, 0) (1, 1) (1, 2) (1, 3)

Figure : Protocol Execution with output= 1

Benjamin Assadsolimani 19/43

Protocol Properties

Complexity:

• Round complexity: O(1)

• Comp. complexity: O(log2(m)) = O(lm)

Benjamin Assadsolimani 20/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 21/43

SC-Protocol by Garay et al.

• Inputs are given as sequences of bits:

x = xlm−1, ..., x0

y = ylm−1, ..., y0

• compute x > y with the following recursion:

SC-Protocol by Garay et al.

1. t0 = 0

2. ti+1 = (1− (xi − yi)2)ti + xi(1− yi)

3. tlm is the output bit

Example

m = 8→ lm = 3x = 5 = 101y = 3 = 011

Benjamin Assadsolimani 21/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t0 0

Benjamin Assadsolimani 22/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t0 0

Benjamin Assadsolimani 22/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t1 0

Benjamin Assadsolimani 23/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t2 0

Benjamin Assadsolimani 24/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

t3 1

Benjamin Assadsolimani 25/43

Protocol Execution

xi yi ti+1

0 0 ti0 1 01 0 11 1 ti

x 1 0 1y 0 1 1

or 1

Benjamin Assadsolimani 26/43

Complexity

Presented algorithm:

• Round complexity: O(lm)

• Comp. complexity: O(lm)

Variation exits with:

• Round complexity: O(log(lm))

• Comp. complexity: O(lm)

Benjamin Assadsolimani 27/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 28/43

Influence Input Size

0 10 20 30 40 50 600

50

100

150

input size (bit)

runti

me

(s)

Kersch. et al.

Nergiz et al.

Garay et al.

Benjamin Assadsolimani 28/43

Influence Input Size

0 10 20 30 40 50 600

2

4

6

input size (bit)

runti

me

(s)

Kersch. et al.

Nergiz et al.

Benjamin Assadsolimani 29/43

Keysize Influence

SC-Protocol / Keysize 512Bit 1024Bit 2048Bit 4096Bit

Kersch. et al. 0,047s 0,073s 0,293s 2,026s

Nergiz et al. 0,216s 0,989s 7,182s 54,123s

Garay et al. 5,143s 14,652s >6h -

Table : Runtimes with 16Bit input size

Benjamin Assadsolimani 30/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 31/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 31/43

Secure Two-Party Bartering Protocol

• Two parties want to exchange goods or services

• Privacy preserving: keep the inputs private at all times

• Existence of a potential trade: calculate exchange rates

Benjamin Assadsolimani 31/43

Bartering Setting

• Publicly known list of commodities C

• Input of every party:• Desired commodity cd at minimum quantity qd• Offered commodity co at maximum quantity qo

: { , , , , , , }

:

:

: 3

: 10

:

:

: 6

: 2

Benjamin Assadsolimani 32/43

Protocol Structure

1

2

3

1 Do the desired and offered commoditiesmatch?

• Private Equality Test

2 Do the desired and offered quantitiesmatch?

• 2x Secure Comparison

3 If both match:• Calculate exchange rates:• 2x Secure Comparison

Benjamin Assadsolimani 33/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 34/43

Support for Binary SC-Protocols

1. qo and qd are given as bitsequences instead of integers

2. Switch x and y to compute x < yinstead of x > y

3. Share the encrypted output bit

4. proof security of the newprotocol in the semi-honestmodel

Benjamin Assadsolimani 34/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 35/43

Runtime commodity matching

0 1,000 2,000 3,000 4,0000

5

10

15

no. commodities

runti

me

(s)

Benjamin Assadsolimani 35/43

Influence Input Size

0 10 20 30 40 50 600

200

400

600

800

1,000

1,200

input size (bits)

runti

me

(s)

Kersch.(no trade)

Kersch. (trade)

Nergiz (no trade)

Nergiz (trade)

Garay (no trade)

Garay (trade)

Benjamin Assadsolimani 36/43

Influence Input Size

0 10 20 30 40 50 600

10

20

30

40

input size (bits)

runti

me

(s)

Kersch.(no trade)

Kersch. (trade)

Nergiz (no trade)

Nergiz (trade)

Benjamin Assadsolimani 37/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 38/43

Realistic Bartering Scenario

• Bartering is a common practice between small companies for tradingotherwise idle resources

• A keysize of 1024 Bit gives sufficient security

• Parties agree on a publicly known list of commodities with 20 entries

• Max. input size lm is set to 10 Bit (m = 1024)

SC-Protocol no-trade trade avg.

Kersch. et al. 0,53s 1,87s 1,25s

Nergiz et al. 1,58s 5,34s 3,43s

Garay et al. 18,38s 54,65s 35,57s

Table : Runtimes of the Bartering Protocol

Benjamin Assadsolimani 38/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 39/43

Conclusion

Binary SC-Protocols scale worse than Arithmetic SC-Protocols in thesemi-honest model regarding:

• Input size

• Comp. complexity (keysize)

• Round complexity (latency)

In the context of a realistic bartering scenario, the performance is stillreasonable:

• Binary SC-Protocols suitable for small input parameters

Binary SC-Protocols might perform better in the malicious model in thecontext of the bartering protocol:

• Arithmetic SC-Protocols might have a lot more overhead for securityin the malicious model

Benjamin Assadsolimani 39/43

Are there any questions?

Benjamin Assadsolimani 40/43

Implementation Overview

Figure : Impl. using the SMC-MuSe Framework [Neugebauer et al., 2013]

Benjamin Assadsolimani 41/43

Outline

Introduction

SC-Prot.Kerschbaum et al.Nergiz et al.Garay et al.Performance

Bartering ProtocolExisting Bartering ProtocolSupport for Binary SC-ProtocolsPerformanceRealistic Scenario

Conclusion

References

Benjamin Assadsolimani 42/43

References I

Garay, J., Schoenmakers, B., and Villegas, J. (2007).Practical and Secure Solutions for Integer Comparison.Public Key Cryptography – PKC 2007, 4450:330–342.

Mayer, D., Wetzel, S., Meyer, U., and Stefan, W. (2014).A Secure Two-Party Bartering Protocol Using Privacy-PreservingInterval Operations.pages 57–66.

Mayer, D. a. (2012).Design and Implementation of Efficient Privacy-Preserving andUnbiased Reconciliation Protocols.

Nergiz, A. E., Nergiz, M. E., Pedersen, T., and Clifton, C. (2010).Practical and secure integer comparison and interval check.Proceedings - SocialCom 2010: 2nd IEEE International Conference onSocial Computing, PASSAT 2010: 2nd IEEE International Conferenceon Privacy, Security, Risk and Trust, pages 791–799.

Benjamin Assadsolimani 42/43

References II

Neugebauer, G., Meyer, U., and Wetzel, S. (2013).SMC-MuSe: A Framework for Secure Multi-Party Computation onMultiSets.43th GI-LNI Informatik, (December).

Schoenmakers, B. and Tuyls, P. (2006).Efficient binary conversion for Paillier encrypted values.Lecture Notes in Computer Science (including subseries Lecture Notesin Artificial Intelligence and Lecture Notes in Bioinformatics), 4004LNCS:522–537.

Wueller, S., Meyer, U., Forg, F., and Wetzel, S. (2015).Privacy-Preserving Conditional Random Selection Extended Version.

Benjamin Assadsolimani 43/43