collaborave, privacy‐preserving data aggregaon at scalemfreed/docs/ppda-pet10-slides.pdf ·...

Collabora've,Privacy‐PreservingDataAggrega'onatScale

MichaelJ.Freedman

PrincetonUniversity

Jointworkwith:BennyApplebaum,HaakonRingberg,MaHhewCaesar,andJenniferRexford

Problem:NetworkAnomalyDetec'on

Collabora'veanomalydetec'on

•  SomeaHackslooklikenormaltraffic–  e.g.,SQL‐injec'on,applica'on‐levelDoS[SrivatsaTWEB‘08]

•  IsitaDDoSaHackoraflashcrowd?[JungWWW‘02]

Yahoo!Google

Bing

I’mnotsureaboutBeasty!

I’mnotsureaboutBeasty!

I’mnotsureaboutBeasty!

Collabora'veanomalydetec'on

•  Targets(vic'ms)couldcorrelateaHacks/aHackers[KadIMC’05],[AllmanHotnets‘06],[KannanSRUTI‘06],[MooreINFOC‘03]

Yahoo!Google

Bing

“Foolusonce,shameonyou.FoolusN2mes,shameonus.”

Problem:NetworkAnomalyDetec'on

Solu'on:

• AggregatesuspectIPsfrommanyISPs• FlagthoseIPsthatappear>thresholdτ

Problem:DistributedRanking

Solu'on:

• Collectdomainsta's'csfrommanyusers• Aggregatedatabydomain

Problem:

…

Solu'on:• Aggregate(id,data)frommanysources• Analyzedatagroupedbyid

Butwhataboutprivacy?

WhatinputsaresubmiHed?

WhosubmiHedwhat?

DataAggrega'onProblem

•  Manypar'cipants,eachwith(key,value)observa'on

•  Goal:Aggregateobserva'onsbykey

Key Values

k1 (va,vb)k2 (vi,vj,vk)

…

kn (vx)

AA

A

DataAggrega'onProblem

•  Manypar'cipants,eachwith(key,value)observa'on

•  Goal:Aggregateobserva'onsbykey

Key Values

k1 (va,vb)k2 (vi,vj,vk)

…

kn (vx)

AA

A

F ( F (

F (

))

)

PDA: Onlyreleasethevaluecolumn

CR‐PDA: Pluskeyswhosevaluessa'sfysomefunc

DataAggrega'onProblem

•  Manypar'cipants,eachwith(key,value)observa'on

•  Goal:Aggregateobserva'onsbykey

Key Values

k1 (1,1)k2 (1,1,1)

…

kn (1)

ΣΣ

ΣPDA: Onlyreleasethevaluecolumn

CR‐PDA: Pluskeyswhosevaluessa'sfysomefunc

≥τ?

≥τ?

≥τ?

Goals

•  Keywordprivacy:Nopartylearnsanythingaboutkeys

•  Par'cipantprivacy:NopartylearnswhosubmiHedwhat

•  Efficiency:Scaletomanypar'cipants,eachwithmanyinputs

•  Flexibility:Supportvarietyofcomputa'onsovervalues

•  Lackofcoordina'on:–  Nosynchronyrequired,individualscannotpreventprogress–  Allpar'cipantsneednotbeonlineatsame'me

Poten'alsolu'ons

ApproachKeywordPrivacy

Par5cipantPrivacy Efficiency Flexibility

LackofCoord

GarbledCircuit

Evalua'on

Mul'partySetIntersec'on

Yes Yes VeryPoor Yes No

Yes Yes Poor No NoDecen

tralized

Security Efficiency

•  Weakensecurityassump'ons?

–  Assumehonestbutcuriouspar'cipants?

–  Assumenocollusionamongmaliciouspar'cipants?

•  Inlarge/opensedng,easytooperatemul'plenodes(so‐called“SybilaHack”)

TowardsCentraliza'on?

DB

Par5cipants

Poten'alsolu'ons

ApproachKeywordPrivacy

Par5cipantPrivacy Efficiency Flexibility

LackofCoord

GarbledCircuit

Evalua'on

Mul'partySetIntersec'on

HashingInputs

NetworkAnonymiza'on

Yes Yes VeryPoor Yes No

Yes Yes Poor No No

No No VeryGood Yes Yes

No Yes VeryGood Yes Yes

Decen

tralized

Ce

ntralized

Towardssemi‐centraliza'on

Par5cipants

Proxy DB

Assump5on:ProxyandDBdo

notcollude

Poten'alsolu'ons

ApproachKeywordPrivacy

Par5cipantPrivacy Efficiency Flexibility

LackofCoord

GarbledCircuit

Evalua'on

Mul'partySetIntersec'on

HashingInputs

NetworkAnonymiza'on

ThisWork

Yes Yes VeryPoor Yes No

Yes Yes Poor No No

No No VeryGood Yes Yes

No Yes VeryGood Yes Yes

Yes Yes Good Yes Yes

Decen

tralized

Ce

ntralized

PrivacyGuarantees

•  PrivacyofPDAagainstmaliciousen''esandpar'cipants– Maliciouspar'cipantmaycolludewitheithermaliciousproxyorDB,butnotboth

– Mayviolatecorrectnessinalmostarbitraryways

•  PrivacyofCR‐PDAagainsthonest‐but‐curiousen''esandmaliciouspar'cipants

PDAStrawman#0

Par5cipant Proxy DB

1. Clientsendsinputk

k

PDAStrawman#1

Par5cipant Proxy DB

1. Clientsendsencryptedinputk2. Proxybatchesandretransmits

3. DBdecryptsinput

ds

k # 1.1.1.1 1

2.2.2.2 9

Violateskeywordprivacy

EDB(k) EDB(k)

ds

PDAStrawman#2

Par5cipant Proxy DB

1. Clientsendshashesofk2. Proxybatchesandretransmits

3. DBdecryptsinput

H (k) # H(1.1.1.1) 1

H(2.2.2.2) 9

S5llviolateskeywordprivacy:IPsdrawnfromsmalldomains

EDB(H(k)) EDB(H(k))

PDAStrawman#3

Par5cipant Proxy DB

1. Clientsendskeyedhashesofk–  Keyedhashfunc'on(PRF)–  Keysknownonlybyproxy

Fs (k) # Fs(1.1.1.1) 1

Fs(2.2.2.2) 9

EDB(Fs(k)) EDB(Fs(k))

ButhowdoclientslearnFs(IP))?

Secrets

OurBasicPDAProtocol

Par5cipant Proxy DB

1. Clientsendskeyedhashesofk–  Fs(x)learnedbyclientthroughObliviousPRFprotocol

2.  Proxybatchesandretransmitskeyedhash

3.  DBdecryptsinput

Fs (k) # Fs(1.1.1.1) 1

Fs(2.2.2.2) 9

EDB(Fs(k))OPRF

EDB(Fs(k)) Fs(k)

Secrets

Fs (k) # Fs(1.1.1.1) 1

Fs(2.2.2.2) 9

retransmits

BasicCR‐PDAProtocol

Par5cipant Proxy DB

1.  Clientsendskeyedhashesofk,andencryptedkforrecovery

2.  Proxyretransmitskeyedhash3.  DBdecryptsinput4.  Iden'fyrowstoreleaseandtransmitEPRX(k)toproxy5.  Proxydecryptskandreleases

EDB(Fs(k)) Fs(k)

EDB(EPRX(k))

EPRX(k)

Fs (k) # Enc’d k Fs(1.1.1.1) 1 EPRX(1.1.1.1)

Fs(2.2.2.2) 9 EPRX(2.2.2.2)

Secrets

retransmits

PrivacyProper'es

Par5cipant Proxy DB

•  Anycoali'onofHBCpar'cipants•  HBCcoali'onofproxyandpar'cipants•  HBCdatabase

EDB(Fs(k)) Fs(k)

EDB(EPRX(k))

EPRX(k)

•  Keywordprivacy:Nothinglearnedaboutunreleasedkeys•  Par'cipantprivacy:KeyPar'cipantnotlearned

Secrets

retransmits

PrivacyProper'es

Par5cipant Proxy DB

•  Anycoali'onofHBCpar'cipants•  HBCcoali'onofproxyandpar'cipants•  HBCdatabase

EDB(Fs(k)) Fs(k)

EDB(EPRX(k))

EPRX(k)

•  Keywordprivacy:Nothinglearnedaboutunreleasedkeys•  Par'cipantprivacy:KeyPar'cipantnotlearned

Secrets

maliciouspar'cipants

HBCcoali'onofDBandpar'cipants

retransmits

MoreRobustPDAProtocol

Par5cipant Proxy DB

•  Anycoali'onofHBCpar'cipants•  HBCcoali'onofproxyandpar'cipants•  HBCdatabase

EDB(Fs(k)) Fs(k)

EDB(EPRX(k))

EPRX(k)Secrets

maliciouspar'cipants

HBCcoali'onofDBandpar'cipants

•  ORPFEncryptedOPRFProtocol•  Ciphertextre‐randomiza'onbyproxy•  Proofbypar'cipantthatsubmiHedk’smatch

Encrypted‐OPRFprotocol•  Problem:inbasicOPRFprotocol,par'cipantlearnsFs(k)

•  Encrypted‐OPRFprotocol:–  ClientlearnsblindedFs(k)–  ClientencryptstoDB–  ProxycanunblindFs(k)“undertheencryp'on”

()r‐1Enc()()rFs(k)

(πsi)ki=1ElGamal gmodp

Encrypted‐OPRFprotocol•  Problem:inbasicOPRFprotocol,par'cipantlearnsFs(k)

•  Encrypted‐OPRFprotocol–  ClientlearnsblindedFs(k)–  ClientencryptstoDB–  ProxycanunblindFs(k)“undertheencryp'on”

•  OPRFrunsOTprotocolforeachbitofinputk•  OTprotocolsexpensive,sousebatchOTprotocol[Ishaietal]

()r‐1Enc()()rFs(k)

ScalableProtocolArchitecture

Par'cipantsClient‐Facing

Proxies

Sharesecrets

ProxyDecryp'onOracles

SharePRXkey

Front‐EndDBTier

ShareDBkey

Back‐EndDBStorage

Par''onFskeyspace

Evalua'on•  Scalablearchitectureimplemented

–  BasicCR‐PDA/PDAprotocol+andencrypted‐OPRFprotocolw/BatchOT

–  ~5000linesofthreadedC++,GnuPGforcrypto

•  Testbedof2GHzLinuxmachines

Algorithm Parameter Value

RSA/ElGamal keysize 1024bits

ObliviousTransfer k 80

AES keysize 256bits

Throughputvs.par'cipantbatchsize

SingleCPUcoreforDBandproxyeach

Maximumthroughputperserver

FourCPUcoresforDBandproxy(each)

Throughputscalability

NumberCPUcoresperDBandproxy(each)

Summary•  Privacy‐PreservingDataAggrega'onprotects:

–  Par'cipants:DonotrevealwhosubmiHedwhat–  Keywords:Onlyrevealvalues/releasedkeys

•  Novelcomposi'onofcryptoprimi'ves–  Basedonassump'onthat2+knownpar'esdon’tcollude

•  Efficientimplementa'onofarchitecture–  Scaleslinearlywithcompu'ngresources–  Ex:MillionsofsuspectedIPsinhours

•  Ofindependentinterest…–  IntroducedencryptedOPRFprotocol–  Firstimplementa'on/valida'onofBatchOTprotocol