1 Ali Khoshgozaran

Comparing Information Without Leaking It

October 2004

2

Us and Them!

3

Problem Clarification

Ron(Manager1)

Moshe(Manager2)

Complainer 1

Bob Complainer 2

?

?

=

An information comparing protocol

4

What I’ll talk about

• Practical Examples

• Problem Characteristics

• Proposed Solutions

• Analysis of the Solutions

• No Conclusion!

• References

5

Motivation

• Why I chose to talk about it?– My blogger friend, accused of working for a

secret service by the hardliners!– Are you also in? => Password as id– A real life situation: Bob, Moshe and Ron

• Lots of other applications to this:– The same person to nominate for a post,

invite for dinner or blame for disaster– Risk of embarrassment, being a renegade

6

Even More Applications

• Members of the Jury, fear of dissention

• But what other than equality testing?– Comparing Numerical Values

• Yao’s “Two Millionaires”• Who’s the oldest in a group?• Selling a car: Bargain in earnest or go home

7

More on the problem

• Why not using the “20 questions”? – Gender, the complainer’s last name’s first

letter preceding M– A great deal of information exchange

8

Problem Characteristics

• Resolution: Ok do the values match?

• Leakage: No knowledge other than that

• Privacy: No one else knows anything

• Security: No profit by cheating– Denying or Lying by simulation -> Now what?

• Simplicity: It’s hard to keep things simple – Easy to understand and to implement protocol

• Remoteness: Physical presence needed?

9

Solutions

1. Josephine

2. Computer Program

3. Special-Purpose Device

4. Random Permutation

5. Random Rotation

6. Permutation Composition

7. Message for Moshe

10

Solutions (contd.)

8. Airline Reservation

9. Password

10.Cups

11.Deck of Cards

12.Envelopes

13.Digital Envelopes

14.And the winner is…

11

1: Josephine

• Find a trusted third party

• Ask her to reveal the results only

• How easy to find Josephine?

• How much information to reveal to her?

• Huge work done on “Cryptographic” protocols for function evaluations why not use them?

12

Why Not?

• Are all the assumptions about computational complexity used in those protocols proven?– One way functions– Factoring

• Blind users Vs. system designers

• Even in the best case, how practical?– “Quick & dirty solution” no coding at all!

13

2: Computer Program

• No Josephine needed!

• Both use a computer program which – Asks Ron for input (name of complainer: Bob)– Clears the screen and asks Moshe – Clears the screen and announces the result– Erases all input information from its memory

• Prop 2 not satisfied: Trust the programmer

• Co-coding? Co-using? Debugging? Easy?

14

3: Special Purpose Device

• Electronic Trusted Party implements 2

• (Limited access computing) Device:• Incapable of

– Storing information between uses– Revealing information other than as intended

• Tamper proof – Opening the battery case blanks the memory– Opening anything else breaks the seal

• Trust the manufacturer! • Three modes (i.e. match, rank and vote)

15

4: Random Permutation

– Random labeling of (limited) candidates• Now tell Josephine the numbers (0..19)• What if candidate set is so large or not clear?

– Universal Classes of Hash Functions• Ron and Moshe will agree on

– Each candidate’s name n mod 27

– A prime p larger than each number assigned

– Random numbers a and b mod 27 (a k ≠ p)

– R= a*XR+ b mod p and M= a*XM+ b mod p

– Josephine compares R and M (Seen as random pairs uniformly chosen from [0,p-1] to her in a non match case)

16

5: Random Rotation

5

0

3

2

4

1

6

7

910

1112

13

14

15

16

17

1819

8

I. Numbers randomly assigned to candidates by Ron and Moshe

II. Josephine generates a random number (here 3) and tells it to Ron

Josephine’s Random

Josephine Gets

Moshe’s Complainer

IV. Moshe then subtracts his candidates number (here 8) and tells the result to Josephine

But Josephine knows the difference between the candidate numbers!

She also knows if they found a match!

Ron’s Complainer

III. Ron adds it to his candidates random number (Here 10) and give result to Moshe

17

6: Permutation Composition

• How to keep Josephine on the dark side? – 15 Execution of the scheme 14 of which are phony– 14 times, they first devise a random string R– Then a secret flipped coin will decide whether both

should use R or a non match– One time they truly give the right values

• A more sophisticated scheme:– Ron & Moshe together create a pair of lists for

candidates P= p1 p2…pm & M= m1 m2…mm such that

– Each Pi and Mi is a permutation of {1,2,3,4,5}

18

Permutation Computation II

• If R=Ron’s and M=Moshe’s complainer– The composition p1m1 p2m2…pmmm yields the rotation

T=(12345) if complainers are the same and identity permutation otherwise

• They now generate additional 2m random permutations w0w1..w2m. Ron gives w0p1w1

-1 & Moshe gives w1m1w2

-1...then Ron gives w2p2w3-1

… Josephine does all permutations and gets:– w0Tw2m

-1 (For a match) or w0w2m-1 (For a mismatch)

• She sees nothing but uniformly random permutations

19

7: Message for Moshe

• Ron and Moshe assign a random telephone number to candidates– Ron dials the phone corresponding to his

complainer (Bob) and leaves a message for Moshe

– Moshe dials the phone corresponding to his complainer and asks if anyone tried to leave a message for him!

– What if the called party untruthfully denies??

20

8: Airline Reservation

• Airlines policy– Moshe goes out, Ron calls airline “A” and

books a flight in the name of his complainer for day “D” from “F” to “T”

– Moshe then tries to cancel that particular booking in his complainer’s name!

– Finally Ron (tries to or) cancels the reservation he, himself made

21

9: Password

• Ron changes his password to the name of the complainer (Bob)

• Moshe tries to log on as Ron using his complainer’s name as the password– Advantages: No new program needed, highly

secure and heavily debugged– How to block Moshe from trying more than

once?

• Use the passwd command

22

10: Cups

Ron puts one folded slip saying “yes” and n-1 ones saying “no”

Yes NoNo No No NoYes NoNo No No No

They obtain n (disposable) cups and label them with candidate namesMoshe puts one folded slip saying “yes” and n-1 ones saying “no”The labels are then removed, the cups are shuffled at random

23

Deck of Cards

• Coincidence between alphabet and cards– Separate the reds & blacks: Two decks of 26– Shuffle & place each deck face down on table

• For i=1 to 26– Ron removes the two top cards without looking at values– He puts them face to face, with the red card on top– He inverts the pair in his back if ith letter is in Bob’s name

• Then Moshe runs exactly the same loop• They place the cards on an accumulating stack

– Riffle-shuffle cards, looking for a red facing up

24

Envelopes

– Suppose the (unlimited) namespace can be coded as binary

– Ron’s complainer bitstream:x1x2..xn

– Moshe’s complainer bitstream:y1y2..yn

– Each select 2n random numbers 0≤r ≤ 2k-1– Each prepare 2n envelopes placing them in

two rows putting one of 2n numbers in each

25

Ron

Moshe

R01

R11

R03R0

2

R13R1

2

R0n

R1n

M01

M11

M03M0

2

M13M1

2

M0n

M1n

Envelopes (contd.)ith column, bit position i

Sum of the random numbers corresponding the bit values of their candidate’s name

26

Ron

Moshe

R01

R11

R03R0

2

R13R1

2

R0n

R1n

Envelopes (contd.)

Moshe does the same computing

Ron opens them and computes

27

Envelopes (contd.)

– If x=y then SR= SM with probability 1

– If x ≠ y then SR ≠ SM with probability 1- 2-k

– If x ≠ y then SR = SM with probability 2-k (False positive)

– None of them can be prevented from cheating during the last part of the algorithm

28

Digital Envelopes

– The digital version of the previous scheme– A mechanism to allow Moshe to chose to

receive ONE of R0 or R1 sent by Ron getting NO knowledge about the other value

– For each 1≤i ≤ n Ron sends R0i, R1

i from which Moshe chooses to get Ry(i)

i while doing the same thing for Ron

– Finally they have values SR and SM

29

And the Winner Is:

– Remember that was a real problem for the authors. Which solution you think they used?

– First author explains the “Bob’s” story to his family at dinner

– His then-13-year-old son suggests asking Bob– Works if Ron knew Bob wouldn’t mind being

asked.– To your surprise: Bob forgot if he’d

complained to Moshe! So he went and asked!

30

Analysis

– Resolution flaws:• The last two ones and the deck of cards (anagram)

– Leakage flaws:• What each sees as the result of the protocol is

independent or the other party’s complainer value– Even in digital envelopes assumptions seem to work

– Privacy • Permutation computation shows nothing to

Josephine

31

Analysis (contd.)

– Security Flaws:• All suffer from collisions between one & Josephine• Trying several candidates is possible in

– Message for Moshe, Airline Reservation and Password– Fake “computer program” & phony “Special purpose device”

• The walk away problem: reveals a cheater (always?)

– Simplicity :• Out of hand in: Permutation Composition, Envelopes• Simplest: Cups, Airline Reservation & Deck of Cards

32

Analysis (contd.)

– Remoteness:• All using Josephine enjoy this• Airline Reservation and Password will also do• “If all Ron and Moshe do is exchange messages

between them, then Chor and Kushilevitz [7] show that cryptography is necessary, and Kilian [14] shows that the use of oblivious transfer is necessary”

• Perhaps then one can use the Digital Envelopes

33

References• Ronald Fagin , Moni Naor , Peter Winkler, Comparing information without

leaking it, Communications of the ACM, v.39 n.5, p.77-85, May 1996 • Even, S., Goldreich, O., and Lempel, A. A randomized protocol for signing contracts.

Commun. ACM 28 (1985), 637–647• Barrington, D.A. Bounded-width polynomial-sized branching programs recognize

exactly those languages in NC1, J. Computer Syst. Sci. 38 (1988), 150–164• Brassard, G, Crépeau, C., and Robert, J.-M. All-or-Nothing Disclosure of Secrets,

Advances in Cryptology, Crypto ’86, Lecture Notes in Computer Science, Vol. 263, Springer-Verlag, New York, 1987, pp. 234–238

• Chor, B., and Kushilevitz, E. A zero-one law for Boolean privacy SIAM J. Discr. Math. 4 (1991), 36–47

• Feige, U., Kilian, J., and Naor, M. On minimal models for secure computation. In Proceedings of the 26th ACM Symposium on Theory of Computing (Montréal, 1994), pp. 554–563

• Brassard, G, Crépeau, C., and Robert, J.-M. All-or-Nothing Disclosure of Secrets, Advances in Cryptology, Crypto ’86, Lecture Notes in Computer Science, Vol. 263, Springer-Verlag, New York, 1987, pp. 234–238