DESIGN AND IMPLEMENTATION OF EFFICIENT PRIVACY ...

DESIGN AND IMPLEMENTATION OF EFFICIENT PRIVACY-PRESERVING AND UNBIASED RECONCILIATION PROTOCOLS by Daniel A. Mayer A DISSERTATION Submitted to the Faculty of the Stevens Institute of Technology in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY

Daniel A. Mayer, Candidate ADVISORY COMMITTEE Susanne Wetzel, Chairman

Date

Robert Gilman

Date

Ulrike Meyer

Date

Antonio Nicolosi

Date

Wendy (Hui) Wang

Date

STEVENS INSTITUTE OF TECHNOLOGY Castle Point on Hudson Hoboken, NJ 07030 2012

c

2012, Daniel A. Mayer. All rights reserved.

iii

DESIGN AND IMPLEMENTATION OF EFFICIENT PRIVACY-PRESERVING AND UNBIASED RECONCILIATION PROTOCOLS ABSTRACT

In recent years, our information and communication centric lifestyle gave rise to many novel applications in which the users often have to provide personal information. However, in general there is no transparency on why the data is needed, where and how long it is stored, and how it is shared with outside parties. In addition, when multiple users are involved, typically there is no guarantee that each user’s input is taken into equal consideration. The central idea of the approach taken in this thesis is to enable networked, reconciliation-based applications in such a way that the infringement on the users’ privacy is limited to what is absolutely necessary while guaranteeing unbiasedness at the same time. This thesis makes multiple theoretical and experimental contributions to the field. The theoretical part builds upon secure multi-party computation protocols for Privacy-Preserving Reconciliation of Ordered Sets (PROS) which were proposed previously. The original protocols only provide security guarantees against weak, passive adversaries. In order to allow for applications that require stronger security guarantees such as, e.g., voting, as a first theoretical contribution we propose novel PROS protocols with security against stronger, malicious adversaries. In particular, we introduce and define the novel notion and a protocol for verifiable private equality testing which allows for the execution of an arbitrary number of secure equality tests on immutable sets of input values. Furthermore, the original protocols only operate on ordered sets of integers which limits their scope. As a second theoretical contribution, we introduce privacy-preserving protocols for various interval operations which are geared to enable the construction of PROS protocols that operate on ordered sets of intervals. As part of the practical contribution, we developed a C++ library for privacypreserving operations and protocols which includes implementations of all the protocols discussed in this thesis. In order to allow for a proper experimental assessment of the

iv

protocols, we designed and implemented a novel test framework. By leveraging the test framework, we performed rigorous and comprehensive performance evaluations for all proposed protocols and show that they are indeed practical for specific, real-world applications.

Author: Daniel A. Mayer Advisor: Susanne Wetzel Date: September 06 2012 Department: Computer Science Degree: Doctor of Philosophy

v

To my family

vi

Acknowledgments

My greatest thank you goes to my adviser Susanne Wetzel who always encouraged and supported me in every possible way and from who I have learned a lot in many respects. I am also very thankful to our collaborators at RWTH Aachen University: Ulrike Meyer, for always providing great insights during our discussions and for hosting me in Aachen during our collaboration, and Georg Neugebauer for making our joint meetings a lot of fun, very motivating, and productive. Furthermore, I would like to thank our research group: Werner Backes who always took the time to think about a problem and helped out wherever he could. Our undergraduate research assistants Ken Bodzak, Frank Buonarota, and Orie Steele who were all a tremendous help in completing some of the projects in this thesis and whom I always had a lot of fun working with. In addition, I had a great time collaborating with Dominik Teubert when he was visiting Stevens. I am deeply grateful to my wife Adina for encouraging me to pursue the PhD degree in Computer Science and for making all of this possible. Mult, umesc foarte mult! Many thanks go to my friends Aatish, Chioun, Chuck, Darakshan, Deepak, Jim, John, Kshitij, Peter, Senia, Sinisa, Stefan, and Steffen for many great experiences, interesting discussions, and for making me feel at home in the US. I am also very thankful to my friends and former colleagues Fabian and Mark for supporting me in my studies in Germany and abroad while having our company COUGA.net together. Last but foremost, I am very indebted to my parents, who always supported me in all my endeavors, for being there at all times, listening, and always having great advice for me. Danke!

vii

Table of Contents

Abstract

iii

Dedication

v

Acknowledgments

vi

List of Tables

xv

List of Figures

xvi

Notation

xxii

1 Introduction

1

2 Privacy Enhancing Techniques

8

2.1

Statistical Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

2.1.1

Privacy-Preserving Data Publishing . . . . . . . . . . . . . . . . . .

10

2.1.2

Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12

2.2

Private Information Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . .

14

2.3

Search on Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

2.4

Other Work on Privacy-Enhancing Techniques . . . . . . . . . . . . . . . .

16

2.5

Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

3 Preliminaries 3.1

17

Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

3.1.1

17

Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

viii

3.1.2

Number Theory

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18

3.1.3

Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

3.1.4

Definitions Related to Computational Complexity . . . . . . . . . .

20

3.2

Cryptographic Hardness Assumptions and Models . . . . . . . . . . . . . .

21

3.3

Threshold Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

3.3.1

Solutions to Threshold Secret Sharing . . . . . . . . . . . . . . . . .

24

3.3.2

Verifiable Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . .

25

Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

3.4.1

Public vs. Private Key Cryptography . . . . . . . . . . . . . . . . .

26

3.4.2

Properties of Encryption Schemes . . . . . . . . . . . . . . . . . . .

27

3.4.3

Paillier Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . .

33

Protocols, Adversaries, and Communication Models . . . . . . . . . . . . .

35

3.5.1

Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

3.5.2

Adversary Models . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

3.5.3

Important Security and Communication Models

. . . . . . . . . . .

36

Secure Multi-Party Computation . . . . . . . . . . . . . . . . . . . . . . . .

37

3.6.1

Defining SMPC Security . . . . . . . . . . . . . . . . . . . . . . . . .

38

3.6.2

Other Work on SMPC . . . . . . . . . . . . . . . . . . . . . . . . . .

42

3.6.3

Selected Feasibility Results on SMPC . . . . . . . . . . . . . . . . .

43

Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

3.7.1

Prominent Constructions of Commitment Schemes . . . . . . . . . .

45

3.7.2

Pedersen Commitment Scheme . . . . . . . . . . . . . . . . . . . . .

45

3.4

3.5

3.6

3.7

3.8

Zero-Knowledge Proofs and Arguments

. . . . . . . . . . . . . . . . . . . .

46

3.8.1

Interactive Proofs and Arguments . . . . . . . . . . . . . . . . . . .

47

3.8.2

Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . . . . . .

47

3.8.3

Zero-Knowledge Signatures of Knowledge . . . . . . . . . . . . . . .

49

4 Fundamental Privacy-Preserving Protocols

51

ix

4.1

4.2

4.3

4.4

4.5

Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

4.1.1

1-2-Oblivious Transfer Protocol by Peikert et al. . . . . . . . . . . .

53

4.1.2

Other Work on Oblivious Transfer . . . . . . . . . . . . . . . . . . .

54

Private Set Intersection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

4.2.1

Selected Private Set Intersection Protocols . . . . . . . . . . . . . . .

55

4.2.2

Other Work on Private Set Intersection . . . . . . . . . . . . . . . .

59

Private Equality Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

61

4.3.1

. . . . . . . . . . . . . . . . . . .

62

Secure Integer Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . .

62

4.4.1

Selected Protocols for Secure Integer Comparison . . . . . . . . . . .

63

4.4.2

Other Work on Secure Integer Comparison . . . . . . . . . . . . . .

71

Privacy-Preserving Reconciliation of Ordered Sets . . . . . . . . . . . . . .

72

4.5.1

Privacy-Preserving Reconciliation . . . . . . . . . . . . . . . . . . . .

73

4.5.2

Preference Order Composition Schemes . . . . . . . . . . . . . . . .

73

4.5.3

Implementing PROS Protocols . . . . . . . . . . . . . . . . . . . . .

77

4.5.4

Multi-Party Extension . . . . . . . . . . . . . . . . . . . . . . . . . .

80

4.5.5

Applications for PROS . . . . . . . . . . . . . . . . . . . . . . . . . .

81

Other Work on the PET Problem

5 Verifiable Private Equality Test

86

5.1

Setting and Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . .

87

5.2

Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

90

5.3

Ideal Functionality for VPET . . . . . . . . . . . . . . . . . . . . . . . . . .

90

5.4

Protocol for VPET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

91

5.4.1

Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

92

5.4.2

Commitment Phase . . . . . . . . . . . . . . . . . . . . . . . . . . .

92

5.4.3

Comparison Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . .

92

5.5

Protocol Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

93

5.6

Security Proof for VPET

94

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

x

5.7

5.8

5.6.1

Construction of Ideal-World Simulator SIM0 . . . . . . . . . . . . .

95

5.6.2

Construction of Ideal-World Simulator SIM1 . . . . . . . . . . . . .

96

Theoretical Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . .

97

5.7.1

Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . . . . . .

97

5.7.2

VPET Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

Summary and Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98

6 PROS with Security in the Malicious Model

99

6.1

Security Models and Their Applicability . . . . . . . . . . . . . . . . . . . .

100

6.2

Intuition for Our New Protocol . . . . . . . . . . . . . . . . . . . . . . . . .

101

6.3

PROS Protocol with Security in the Malicious Model . . . . . . . . . . . . .

101

6.4

Security Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

103

6.5

Theoretical Worst-Case Performance Analysis . . . . . . . . . . . . . . . . .

103

6.6

Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

104

7 Privacy-Preserving Protocols for Operations on Integer Intervals 7.1

7.2

7.3

105

Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

106

7.1.1

Threshold vs. Non-Threshold Cryptosystems . . . . . . . . . . . . .

107

7.1.2

Input-Symmetric Q-Strong Conditional Oblivious Transfer . . . . . .

108

7.1.3

IS-LT-SCOT and IS-GT-SCOT . . . . . . . . . . . . . . . . . . . . .

109

7.1.4

Privacy-Preserving Bit Operations . . . . . . . . . . . . . . . . . . .

111

Privacy-Preserving Operations on Two Intervals

. . . . . . . . . . . . . . .

116

7.2.1

Relative Positioning of Two Intervals . . . . . . . . . . . . . . . . . .

116

7.2.2

Testing for Interval Overlap . . . . . . . . . . . . . . . . . . . . . . .

117

7.2.3

Computing the Boundaries of the Overlap Interval . . . . . . . . . .

120

7.2.4

Computing the Size of the Interval Overlap . . . . . . . . . . . . . .

124

7.2.5

Determine If the Size of Interval Overlap is Above a Threshold . . .

125

7.2.6

Compute a Random Sub-Interval Within the Overlap . . . . . . . .

127

Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134

xi

8 A Library for Privacy-Preserving Operations and Protocols

136

8.1

Related Work on SMPC Protocol Implementations . . . . . . . . . . . . . .

137

8.2

Overall Library Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

8.2.1

Programming Language and Framework Considerations . . . . . . .

141

8.2.2

Modular Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141

8.2.3

Common Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .

142

8.2.4

Class Hierarchy Illustrations

. . . . . . . . . . . . . . . . . . . . . .

143

8.3

Basic Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

143

8.4

Number Theoretic Operations . . . . . . . . . . . . . . . . . . . . . . . . . .

146

8.4.1

Random Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

146

8.4.2

Number Theoretic Algorithms

. . . . . . . . . . . . . . . . . . . . .

147

8.5

Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

147

8.6

Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

8.6.1

Shamir Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . .

149

8.6.2

Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . .

149

8.6.3

Zero-Knowledge Signatures of Knowledge . . . . . . . . . . . . . . .

150

8.6.4

Pedersen Commitment Scheme . . . . . . . . . . . . . . . . . . . . .

151

8.6.5

Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . .

152

Fundamental Privacy-Preserving Protocols . . . . . . . . . . . . . . . . . . .

157

8.7.1

Oblivious Transfer by Peikert et al. . . . . . . . . . . . . . . . . . . .

157

8.7.2

Private Set Intersection . . . . . . . . . . . . . . . . . . . . . . . . .

158

8.7.3

Private Equality Test . . . . . . . . . . . . . . . . . . . . . . . . . .

161

8.7.4

Secure Integer Comparison . . . . . . . . . . . . . . . . . . . . . . .

161

8.8

VPET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166

8.9

PROS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

8.9.1

Original PROS Protocol by Meyer et al. . . . . . . . . . . . . . . . .

167

8.9.2

PET-Modularized PROS Protocols . . . . . . . . . . . . . . . . . . .

169

8.10 Interval Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173

8.7

xii

8.10.1 Preliminary Protocols . . . . . . . . . . . . . . . . . . . . . . . . . .

173

8.10.2 Interval Protocols

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

175

8.11 Mobile Device Implementations . . . . . . . . . . . . . . . . . . . . . . . . .

181

8.11.1 Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .

182

8.11.2 Platform-Dependent Implementations . . . . . . . . . . . . . . . . .

184

8.12 Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

185

9 CryPPT: A Cryptographic Protocol Performance Testing Framework

187

9.1

Related Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

188

9.2

Requirements for a Cryptographic Test Framework . . . . . . . . . . . . . .

190

9.3

Design of the CryPPT Framework . . . . . . . . . . . . . . . . . . . . . . .

193

9.3.1

Mapping Modules and Instances . . . . . . . . . . . . . . . . . . . .

193

9.3.2

Test Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . .

195

9.3.3

Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

196

9.3.4

Code Bases and Test Environments . . . . . . . . . . . . . . . . . . .

197

9.3.5

Test Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

198

Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

198

9.4.1

Backend Database . . . . . . . . . . . . . . . . . . . . . . . . . . . .

199

9.4.2

Test Input Generation . . . . . . . . . . . . . . . . . . . . . . . . . .

199

9.4.3

Test Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

201

9.4.4

Result Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

203

Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

204

9.4

9.5

10 Performance

206

10.1 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

207

10.1.1 Test Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

207

10.1.2 Code and Library Compilation . . . . . . . . . . . . . . . . . . . . .

208

10.1.3 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . .

208

10.2 Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

209

xiii

10.2.1 Parameter Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . .

210

10.2.2 Test Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

210

10.2.3 Cryptographic Parameters . . . . . . . . . . . . . . . . . . . . . . . .

211

10.3 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

212

10.4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

212

10.5 Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

215

10.5.1 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

215

10.5.2 Zero-Knowledge Signatures of Knowledge . . . . . . . . . . . . . . .

216

10.5.3 Pedersen Commitment Scheme . . . . . . . . . . . . . . . . . . . . .

219

10.5.4 Paillier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

220

10.6 Fundamental Privacy-Preserving Protocols . . . . . . . . . . . . . . . . . . .

226

10.6.1 Oblivious Transfer by Peikert et al. . . . . . . . . . . . . . . . . . . .

227

10.6.2 Private Set Intersection . . . . . . . . . . . . . . . . . . . . . . . . .

228

10.6.3 Secure Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . .

230

10.7 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

233

10.7.1 Verifiable Private Equality Test . . . . . . . . . . . . . . . . . . . . .

233

10.7.2 Privacy-Preserving Reconciliation of Ordered Sets . . . . . . . . . .

235

10.7.3 Privacy-Preserving Protocols for Operations on Integer Intervals . .

242

10.8 Practical Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

249

10.8.1 Relevant Studies On System Response Times . . . . . . . . . . . . .

250

10.8.2 Discussion for the PROS Protocols . . . . . . . . . . . . . . . . . . .

251

10.9 Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

255

11 Conclusion and Open Questions

257

Appendix A Complete Class Hierarchy

265

Appendix B Test Cases

268

Appendix C PROS Performance for the Minimum of Ranks POCS

270

xiv

Bibliography

272

Vita

298

xv

List of Tables 5.1

Modular exponentiations required for computation and verification of ZK signatures of knowledge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.1

97

Illustration on how to obtain a uniformly random integer in [1, 7] given two uniformly random integers in [1, 5]. . . . . . . . . . . . . . . . . . . . . . . .

130

10.1 Categorization of SRTs according to Shneiderman [SCP+ 09, Shn87, DM11].

250

10.2 Categorization of SRTs according to Seow [Seo08, DM11]. . . . . . . . . . .

250

B.1 Test cases used in the performance evaluations presented in this thesis.

269

. .

xvi

List of Figures 2.1

Trade-off between inefficiency, privacy-loss, and inaccuracy [Wri05]. . . . .

8

2.2

Linking to re-identify data [Swe02]. . . . . . . . . . . . . . . . . . . . . . .

9

4.1

1-2 OT protocol by Peikert et al. [PVW08]. . . . . . . . . . . . . . . . . .

53

4.2

Freedman’s PSI protocol [FNP04]. . . . . . . . . . . . . . . . . . . . . . . .

56

4.3

De Cristofaro et al.’s PSI protocol [DCT10]. . . . . . . . . . . . . . . . . .

58

4.4

3-Perfect Binary Tree for m = 8 and lm = log2 (m) = 3. . . . . . . . . . . .

64

4.5

Secure comparison protocol by Nergiz et al. [NNPC10]. . . . . . . . . . . .

66

4.6

Secure comparison protocol by Kerschbaum et al. [KT06]. . . . . . . . . .

68

4.7

Variant of Kerschbaum et al.’s SC protocol that provides for shared output.

71

4.8

Illustration of the sum of ranks composition scheme. . . . . . . . . . . . .

74

4.9

Illustration of the minimum of ranks composition scheme. . . . . . . . . .

74

4.10

3PRSOR FNP04 protocol [MWI07]. . . . . . . . . . . . . . . . . . . . . . . . . . .

76

4.11

PROSSOR PET protocol [MWI10]. . . . . . . . . . . . . . . . . . . . . . . . . . .

79

4.12

PROSMOR PET protocol [MWI10]. . . . . . . . . . . . . . . . . . . . . . . . . .

80

4.13

Generic PROSC PET protocol. . . . . . . . . . . . . . . . . . . . . . . . . . .

80

4.14

Illustration of the scheduling scenario.

. . . . . . . . . . . . . . . . . . . .

81

4.15

Illustration of the Borda count voting scenario. . . . . . . . . . . . . . . .

84

5.1

Ideal functionality FV P ET for VPET. . . . . . . . . . . . . . . . . . . . . .

88

5.2

VPET: commitment phase. . . . . . . . . . . . . . . . . . . . . . . . . . . .

89

5.3

VPET: comparison phase for values with keys kσ,jσ , kσ,jσ . . . . . . . . . . .

91

6.1

PROSC VPET protocol with security in the malicious model. . . . . . . . . .

102

xvii

7.1

Protocol for FIS-LT -SCOT using the FSC-SOLT secure comparison functionality.109

7.2

Privacy-preserving computation of b0 ⊕ b1 . . . . . . . . . . . . . . . . . . .

112

7.3

Privacy-preserving computation of b0 ∧ b1 . . . . . . . . . . . . . . . . . . .

113

7.4

Privacy-preserving computation of b0 ∨ b1 . . . . . . . . . . . . . . . . . . .

113

7.5

Privacy-preserving computation of (b0 ⊕ b1 ) ∧ (b00 ⊕ b01 ). . . . . . . . . . . .

115

7.6

Possible alignments of two intervals. . . . . . . . . . . . . . . . . . . . . . .

116

7.7

Comparisons ιA < µB and ιB < µA as a first step in implementing FT IO . .

117

7.8

κ . . . . . . . . . . . . . . . . . . . . . . . First attempt at a protocol for FOI

120

7.9

κ . . . . . . Protocol for computing the overlap interval of two intervals FOI

123

7.10

κ . . . . . . . . . Protocol for computing the size of the overlap interval FSIO

124

7.11

Protocol to determine whether the overlap is at least of size w.

. . . . . .

126

7.12

κ,w .. . . . . . . . . . . . . . . . . . . . . . A first protocol implementing FRSI

128

7.13

κ,w based on rejection sampling. . . . . . . . . A protocol implementing FRSI

131

7.14

κ,w based on OPE. . . . . . . . . . . . . . . . . A protocol implementing FRSI

133

8.1

Simplified logical layers of the library. . . . . . . . . . . . . . . . . . . . . .

140

8.2

Illustration of the class hierarchy diagrams. . . . . . . . . . . . . . . . . . .

143

8.3

Integer interval class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . .

144

8.4

Encrypted integer interval class hierarchy. . . . . . . . . . . . . . . . . . .

144

8.5

Polynomial class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . .

145

8.6

Encrypted polynomial class hierarchy. . . . . . . . . . . . . . . . . . . . . .

145

8.7

Network class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

8.8

Shamir secret sharing class hierarchy. . . . . . . . . . . . . . . . . . . . . .

149

8.9

Class hierarchy of cryptographic hash functions. . . . . . . . . . . . . . . .

150

8.10

Zero-knowledge signatures of knowledge class hierarchy. . . . . . . . . . . .

151

8.11

Pedersen commitment scheme class hierarchy. . . . . . . . . . . . . . . . .

151

8.12

Class hierarchy of the Paillier cryptosystem. . . . . . . . . . . . . . . . . .

153

8.13

Class hierarchy for the parallel decryption engines. . . . . . . . . . . . . .

154

?

?

xviii

8.14

Threshold encryption engines class hierarchy. . . . . . . . . . . . . . . . . .

155

8.15

OT class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

157

8.16

PSI and PET class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . .

158

8.17

Integer comparison class hierarchy. . . . . . . . . . . . . . . . . . . . . . .

162

8.18

VPET class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166

8.19

Original PROS class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . .

168

8.20

Preference order composition scheme class hierarchy. . . . . . . . . . . . .

169

8.21

PROSC PET class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . .

171

8.22

PROSC VPET class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . .

172

8.23

IS-Q-SCOT class hierarchy.

. . . . . . . . . . . . . . . . . . . . . . . . . .

173

8.24

Homomorphic bit operations class hierarchy. . . . . . . . . . . . . . . . . .

174

8.25

FTκIO class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

176

8.26

κ class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FOI

176

8.27

κ FSIO class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

177

8.28

FTκSIO class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

177

8.29

κ FRSI class hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

178

8.30

Screenshot of the iOS app. . . . . . . . . . . . . . . . . . . . . . . . . . . .

183

8.31

Screenshot of the Android app. . . . . . . . . . . . . . . . . . . . . . . . .

183

9.1

Modules of matrix multiplication. . . . . . . . . . . . . . . . . . . . . . . .

189

9.2

Different instances for the module Integer Multiplication. . . . . . . . . . .

190

9.3

Main components of CryPPT. . . . . . . . . . . . . . . . . . . . . . . . . .

193

9.4

Illustration of a higher-level protocol and the modules it utilizes. . . . . . .

195

9.5

The structure of the test input for each cj . . . . . . . . . . . . . . . . . . .

196

9.6

Workflow when creating and executing a test run using CryPPT. . . . . .

200

9.7

Screenshot of the CryPPT web interface. . . . . . . . . . . . . . . . . . . .

202

9.8

Example plot generated using CryPPT. . . . . . . . . . . . . . . . . . . . .

203

10.1

Network round-trip times for Test Case 1. . . . . . . . . . . . . . . . . . .

213

xix

10.2

Performance of SHA1 and SHA256 using different input sizes according to Test Case 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10.3

215

Performance of various hash functions using different input sizes according to Test Case 2.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

215

10.4

Performance of ZKDL using different input sizes according to Test Case 3.

216

10.5

Performance of ZKEDL using different input sizes according to Test Case 3. 216

10.6

Performance of ZKREP using different input sizes according to Test Case 3. 218

10.7

Performance of ZKDL using a 2,048-bit prime p and Test Case 3. . . . . .

10.8

Performance of modular exponentiation using 2,048-bit primes p and 224-bit primes q for Test Case 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10.9

218

219

Performance for commitment and verification of the Pedersen commitment schemes according to Test Case 3. . . . . . . . . . . . . . . . . . . . . . . .

219

10.10 Performance of the Paillier cryptosystem as a function of the key size using 64-bit plaintexts according to Test Case 5. . . . . . . . . . . . . . . . . . .

220

10.11 Performance of the Paillier homomorphic addition as a function of the key size using 64-bit plaintexts according to Test Case 5. . . . . . . . . . . . .

220

10.12 Performance of the Paillier cryptosystem as a function of the plaintext size using 2,048-bit keys according to Test Case 5. . . . . . . . . . . . . . . . .

221

10.13 Performance of Paillier homomorphic addition as a function of the plaintext size using 2,048-bit keys according to Test Case 5. . . . . . . . . . . . . . . 10.14 Comparing Paillier encryption for the sequential,

NewThread,

221

and

WorkerQueue implementations using 64-bit plaintexts according to Test Case 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

223

10.15 Parallel Paillier speed-up for the WorkerQueue (WQ) and NewThread (NT) implementations using 64-bit plaintexts according to Test Case 5. . . . . .

223

10.16 Performance of the threshold Paillier cryptosystem as a function of the key size using 64-bit plaintexts according to Test Case 6. . . . . . . . . . . . .

224

xx

10.17 Performance of the threshold Paillier cryptosystem as a function of the plaintext size using 2,048-bit keys according to Test Case 6. . . . . . . . .

224

10.18 Performance of Peikert’s OT protocol using Test Case 8. . . . . . . . . . .

226

10.19 User time for Freedman’s PSI protocol using the Paillier cryptosystem for Test Case 7.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

228

10.20 Real time for Freedman’s PSI protocol using the Paillier cryptosystem for Test Case 7.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

228

10.21 User time for De Cristofaro et al.’s PSI protocol for Test Case 7. . . . . . .

229

10.22 Real time for De Cristofaro et al.’s PSI protocol for Test Case 7.

229

. . . . .

10.23 Performance of the SC protocol by Nergiz et al. using Freedman’s PSI and the Paillier cryptosystem for Test Case 8. . . . . . . . . . . . . . . . . . . .

231

10.24 Performance of the SC protocol by Nergiz et al. using De Cristofaro et al.’s PSI for Test Case 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

231

10.25 Performance of the SC protocol by Kerschbaum et al. for Test Case 9. . .

232

10.26 Performance of the SC with shared output protocol by Kerschbaum et al. for Test Case 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

232

10.27 VPET user time for computation (c), verification (v) as a function of the number of commitments for Test Case 11. . . . . . . . . . . . . . . . . . .

234

10.28 VPET user time for party Pσ as a function of the number of comparisons for Test Case 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

234

10.29 VPET user time for Pσ as a function of the number of comparisons for Test Case 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

235

10.30 VPET commitment amortization. . . . . . . . . . . . . . . . . . . . . . . .

235

10.31 Worst-case performance results for PROSSOR FNP04 -non-cached using the Paillier cryptosystem for Test Case 12. . . . . . . . . . . . . . . . . . . . . . .

236

10.32 Worst-case performance results for PROSSOR FNP04 -cached using the Paillier cryptosystem for Test Case 12.

. . . . . . . . . . . . . . . . . . . . . . . .

236

10.33 Worst-case performance results for PROSSOR DT10 for Test Case 12. . . . . . .

237

xxi

10.34 Worst-case performance results for PROSMOR DT10 for Test Case 12. . . . . . .

237

10.35 Average-case performance of PROSSOR DT10 for Test Case 13.

. . . . . . . . .

239

10.36 Average-case performance of PROSSOR DT10 for Test Case 14.

. . . . . . . . .

239

. . . . . . . . . . . . . .

240

. . . . . . . . . . . . .

240

10.37 PROSSOR VPET worst-case runtime for Test Case 12. 10.38 PROSSOR VPET average-case runtime for Test Case 14.

10.39 User times for IS-Q-SCOT using the threshold Paillier cryptosystem for Kerschbaum’s SC-SO protocol and Peikert’s OT for Test Case 10. . . . . .

243

10.40 User times for the homomorphic bit operations for both party P0 and party P1 for Test Case 15.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

243

10.41 User time for TIO using homomorphic bit operations based on the Paillier cryptosystem for Test Case 16. . . . . . . . . . . . . . . . . . . . . . . . . .

246

10.42 User time for OI using TIO and IS-Q-SCOT for Test Case 16. . . . . . . .

246

10.43 User time for SIO using OI and the threshold Paillier cryptosystem for Test Case 16. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

247

10.44 User time for TSIO using SIO and Kerschbaum’s SC protocol using the threshold Paillier cryptosystem for Test Case 16.

. . . . . . . . . . . . . .

247

10.45 User time for RSI using OI and the threshold Paillier cryptosystem for Test Case 16. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C.1

248

PROSMOR FNP04 -cached worst-case performance results using the Paillier cryptosystem for Test Case 12.

. . . . . . . . . . . . . . . . . . . . . . . . . .

270

C.2

PROSMOR DT10 worst-case performance results for Test Case 12. . . . . . . . .

270

C.3

PROSMOR DT10 average-case performance results for Test Case 13. . . . . . . .

270

C.4

PROSMOR DT10 average-case performance results for Test Case 14. . . . . . . .

270

C.5

PROSMOR VPET worst-case performance results for Test Case 12.

. . . . . . .

271

C.6

PROSMOR VPET average-case performance results for Test Case 14.

. . . . . .

271

xxii

Notation In the following, we briefly introduce the notational conventions used throughout this thesis.

Notation

Description Notations Related to Number Theory

a|b G =< g > |G| = ord(G) a−1 x ←r G

a divides b. Group G with generator g. Order of the group G. For a ∈ Gn , a−1 is the multiplicative inverse of a in G. Choose x uniformly at random from G.

Zn

The equivalence class of integers (mod n).

Z∗n

Multiplicative cyclic group of Zn .

n!

n factorial, i.e.,

Qn

i=1 i.

Notations for Cryptographic Operations H()

Random oracle which maps a bitstring of arbitrary length into a (specific) group G, i.e., H : {0, 1}∗ → G.

+h

Operator indicating homomorphic addition on ciphertexts.

×h

Operator indicating the homomorphic multiplication of a ciphertext by a plaintext constant.

xxiii

Notation

Description Notations for Sets

A∩B

Intersection of sets A and B.

A∪B

Union of sets A and B.

A×B

Cartesian product of A and B. Notations for Intervals

[ι, µ] [µ] Io = I1 ∩ I2

The closed finite interval bounded by ι and µ. Shorthand notation for [0, µ]. The overlap interval of intervals I1 and I2 . Other Notations

?

a=b ?

a= {g 0 , g 1 , . . . , g φ(|G|) } where φ(x) is Euler’s totient function. Definition 3.15 (Order of a Group G): Let g be a generator of G then the smallest positive integer k s.t. g k = e (where e is the identity element) is called the order of G. Definition 3.16 (Equivalence Relation): Let Γ be a set then an equivalence relation ∼ on Γ satisfies the following properties: • ∀a ∈ Γ, a ∼ a

(Reflexivity)

• ∀a, b ∈ Γ, if a ∼ b then b ∼ a

(Symmetry)

• ∀a, b, c ∈ Γ, if a ∼ b and b ∼ c then a ∼ c

(Transitivity)

20

Definition 3.17 (Equivalence Class): Let Γ be a set then the equivalence class of a ∈ Γ is defined as the set [x] = {x ∈ Γ|a ∼ x}. Definition 3.18 (The Ring of Integers (mod n)): For n ∈ Z+ , let (mod n) be the equivalence relation of congruences (mod n) defined on Z. Then the ring of equivalence classes of integers (mod n) is defined as the Zn = {[0], [1], . . . , [n − 1]} together with the operations ∗ and +. In the following, we will use {0, 1, . . . , n − 1} as one possible representation for Zn . Definition 3.19 (Multiplicative Cyclic Group of Zn ): The multiplicative cyclic group of Zn is defined as Z∗n = {a ∈ Zn | ∃a−1 ∈ Zn }. If n is prime, Z∗n = Zn \ {0}.

3.1.3

Intervals

Definition 3.20 (Closed Finite Interval ): Given a, b ∈ Z with a ≤ b, the closed finite interval [a, b] is the set [a, b] = {x ∈ Z | a ≤ x ≤ b}. Definition 3.21 (Overlap Interval ): Let I1 = [a1 , b1 ] and I2 = [a2 , b2 ] then the overlap interval Io = I1 ∩ I2 is the set I1 ∩ I2 = {x ∈ Z | a1 ≤ x ≤ b1 ∧ a2 ≤ x ≤ b2 }, i.e., the set containing all values x which lie in both I1 and I2 .

3.1.4

Definitions Related to Computational Complexity

Definition 3.22 (O-Notation): Let g(·) and f (·) be functions, then the O-notation defines an asymptotic upper bound of a set of functions:

O(g(Λ)) = {f (Λ) | ∃ c, Λ0 > 0

s.t.

0 ≤ f (Λ) ≤ c · g(Λ)

∀Λ ≥ Λ0 }

21

Remark 3.2: The O-notation places an upper bound on the complexity of a function when its parameters goes to infinity. Definition 3.23 (Probabilistic Polynomial Time Algorithm (informal)): A Probabilistic Polynomial Time (PPT) algorithm may use randomness in its computation and it is guaranteed to run in polynomial time, i.e., in O(nk ) for some constant k. Remark 3.3: An algorithm is generally assumed to be efficient if it has polynomial complexity with the polynomial being of small degree. Definition 3.24 (Negligible Function): A function ν : N → R is said to be negligible if for all positive polynomials poly(·) ∃Λ0 ∈ N such that ∀Λ > Λ0 [Gol07]: ν(Λ)