Functional Encryption을 이용한 프라이버시 보호 온라인 타겟 광고 시스템

학위논문(석사) -- 서울대학교대학원 : 공과대학 컴퓨터공학부, 2023. 2. 권태경.As interest in protecting user privacy began to surge, the online advertising industry, a multi-billion market, is also facing the same challenge. Currently, online ads are delivered through real-time bidding (RTB) and behavioral targeting of users. This is done by tracking users across websites to infer their interests and preferences and then used when selecting ads to present to the user. The user profile sent in the ad request contains data that infringes on user privacy and is delivered to various RTB ecosystem actors, not to mention the data stored by the bidders to increase their performance and profitability. I propose a framework named FAdE to preserve user privacy while enabling behavioral targeting and supporting the current RTB ecosystem by introducing minimal changes in the protocols and data structure. My design leverages the functional encryption (FE) scheme to preserve the user's privacy in behavioral targeted advertising. Specifically, I introduce a trusted third party (TTP) who is the key generator in my FE scheme. The user's profile originally used for behavioral targeting is now encrypted and cannot be decrypted by the participants of the RTB ecosystem. However, the demand-side platforms (DSPs) can submit their functions to the TTP and receive function keys. This function derives a metric, a user score, based on the user profile that can be used in their bidding algorithm. Decrypting the encrypted user profiles with the function keys results in the function's output with the user profile as its input. As a result, the user's privacy is preserved within the RTB ecosystem, while DSPs can still submit their bids through behavioral targeting. My evaluation showed that when using a user profile bit vector of length 2,000, it took less than 20ms to decrypt the encrypted user profile and derive the user score metric through the inner-product function. This is much smaller than my criteria of 50ms, which is based on the typical bidding timeframe (100–1,000ms) used in the ad industry. Moreover, my result is smaller than the state-of-the-art privacy-preserving proposals using homomorphic encryption or multi-party computations. To demonstrate the potential for real-world deployment., I build a prototype implementation of my design that consists of a publisher's website, an ad exchange (ADX), the DSP, and the TTP.최근 사용자 개인 정보 보호에 대한 관심이 급증하면서 수십억 규모의 시장인 온라인 광고 산업도 같은 문제에 직면해 있다. 현재의 온라인 광고는 Real-time Bidding (RTB)과 사용자 타깃 광고 (targeted advertising)로 대표된다. 이는 웹사이트에서 사용자의 정보를 바탕으로 관심과 선호도를 추정하고 이를 이용해 사용자에게 표시할 적절한 광고를 입찰, 선택하는 방식이다. 광고 요청을 위해 전송되는 user profile에는 사용자의 개인 정보를 침해하는 데이터가 포함되어 있으며, RTB 생태계의 여러 참여자에게 있는 그대로 전달되는 문제점이 있다. 본 연구는 사용자의 개인 정보를 보호하는 동시에 기존의 프로토콜 및 데이터 구조에는 최소한의 변경을 도입함으로써 현재의 RTB 생태계에서 계속해서 타깃 광고가 가능하도록 지원하는 FAdE를 제안한다. 제안하는 디자인은 Functional Encryption (FE)과 그 key 생성자인 Trusted Third Party (TTP)의 도입을 통해 개인정보 보호가 가능한 타깃 광고를 제공한다. 본 디자인에서는, 기존 타깃 광고를 위해 사용되던 user profile을 암호화(encrypt)하여 전달하므로 다른 RTB 환경의 참여자가 해독(decrypt)할 수 없다. Demand Side Platform (DSP)은 광고 요청에 대한 입찰 여부와 입찰가격을 결정하기 위해 암호화된 유저 데이터(encrypted user data, ciphertext)를 사용한다. DSP는 사전에 사용자의 점수를 연산하기 위한 function을 작성하고 이를 TTP에 제출하여 function key를 획득한다. 이 function key를 이용해 암호화된 유저 데이터를 해독(decrypt) 하면 DSP의 내부 입찰 알고리즘에 메트릭(metric)으로 활용할 수 있는 user score를 얻게 되고 이를 입찰 결정에 활용하게 된다. 결과적으로 RTB 환경 내에서 사용자의 개인정보는 보호하면서 DSP는 사용자의 숨겨진 정보를 기반으로 타깃 광고 입찰에 참여할 수 있다. 마지막으로, FAdE 디자인의 실제 활용 가능성에 대한 분석을 진행한다. user profile은 충분한 길이로 확인된 2,000 길이의 0과 1로 이루어진 벡터 (bit vector) 형태로 생성한다. 이 user profile vector를 FE로 암호화(encrypt)한 후, weight vector에 해당하는 임의의 function과 벡터 내적(Inner product) 연산에 소요되는 시간을 측정하였을 때, user score를 도출하는 데 20ms 미만이 소요되는 것을 확인한다. 이는 광고 업계에서 일반적으로 사용되는 입찰 제한 시간(100-1,000ms)을 바탕으로 정의한 본 연구의 자체 기준 50ms 보다 충분히 작은 값에 해당한다. 이 결과는 동형 암호화(Homomorphic Encryption) 또는 Multi-Party Computation(MPC) 등을 사용하는 온라인 광고에서의 다른 개인정보 보호 제안보다 성능 상의 이점을 갖는다. 또한 제안 디자인을 활용해 타깃광고가 실제로 가능함을 확인하기 위해 Publisher 웹사이트, Ad Exchange(ADX), 3개의 DSP 그리고 TTP로 구성된 제안 디자인의 프로토타입 구현을 제시한다. 본 연구에서 제안된 FAdE를 통해 사용자의 개인 정보는 보호하면서 기존과 같은 수준의 타깃 광고가 가능하고, 이를 수용 가능한 수준의 적은 오버헤드로 적용이 가능하였음을 확인하였다. 연구의 결과가 향후 실제 온라인 광고 생태계에서 사용자의 프라이버시 보호에 기여할 수 있을 것으로 기대한다.Chapter 1 Introduction 1 Chapter 2 Background 5 2.1 Online Advertising 5 2.1.1 RTB Ecosystem 6 2.1.2 OpenRTB 8 2.2 Functional Encryption 9 2.2.1 Overview of FE 10 2.2.2 Difference between FE and FHE 11 2.2.3 Information Leakage in Functional Encryption 12 2.2.4 Inner Product Functional Encryption (IPFE) 13 Chapter 3 Design 14 3.1 The approach to preserving privacy 15 3.1.1 Encrypted user profile using FE 15 3.2 Setup phase 18 3.2.1 TTP 18 3.2.2 User Browser 18 3.2.3 DSP 19 3.3 Bidding Phase 20 3.3.1 Browser (User) 21 3.3.2 DSP 21 Chapter 4 Evaluation 24 4.1 Criteria 24 4.1.1 Time 24 4.1.2 File size 25 4.2 Environment 26 4.2.1 Testbed 26 4.2.2 FE Library 26 4.3 Result 26 4.3.1 FAdE design 26 4.3.2 Extra test 30 4.4 Prototyping 33 Chapter 5 Related work 36 Chapter 6 Conculsion 40 Appendix A 48 A.1 Bid Request Sample (OpenRTB 2.5) 48 A.2 Functional Encryption Algorithm 50 국문초록 53석

Scalable and Robust Distributed Algorithms for Privacy-Preserving Applications

We live in an era when political and commercial entities are increasingly engaging in sophisticated cyber attacks to damage, disrupt, or censor information content and to conduct mass surveillance. By compiling various patterns from user data over time, untrusted parties could create an intimate picture of sensitive personal information such as political and religious beliefs, health status, and so forth. In this dissertation, we study scalable and robust distributed algorithms that guarantee user privacy when communicating with other parties to either solely exchange information or participate in multi-party computations. We consider scalability and robustness requirements in three privacy-preserving areas: secure multi-party computation (MPC), anonymous broadcast, and blocking-resistant Tor bridge distribution. We propose decentralized algorithms for MPC that, unlike most previous work, scale well with the number of parties and tolerate malicious faults from a large fraction of the parties. Our algorithms do not require any trusted party and are fully load-balanced. Anonymity is an essential tool for achieving privacy; it enables individuals to communicate with each other without being identified as the sender or the receiver of the information being exchanged. We show that our MPC algorithms can be effectively used to design a scalable anonymous broadcast protocol. We do this by developing a multi-party shuffling protocol that can efficiently anonymize a sequence of messages in the presence of many faulty nodes. Our final approach for preserving user privacy in cyberspace is to improve Tor; the most popular anonymity network in the Internet. A current challenge with Tor is that colluding corrupt users inside a censorship territory can completely block user\u27s access to Tor by obtaining information about a large fraction of Tor bridges; a type of relay nodes used as the Tor\u27s primary mechanism for blocking-resistance. We describe a randomized bridge distribution algorithm, where all honest users are guaranteed to connect to Tor in the presence of an adversary corrupting an unknown number of users. Our simulations suggest that, with minimal resource costs, our algorithm can guarantee Tor access for all honest users after a small (logarithmic) number of rounds

Advances in cryptographic voting systems

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (p. 241-254).Democracy depends on the proper administration of popular elections. Voters should receive assurance that their intent was correctly captured and that all eligible votes were correctly tallied. The election system as a whole should ensure that voter coercion is unlikely, even when voters are willing to be influenced. These conflicting requirements present a significant challenge: how can voters receive enough assurance to trust the election result, but not so much that they can prove to a potential coercer how they voted? This dissertation explores cryptographic techniques for implementing verifiable, secret-ballot elections. We present the power of cryptographic voting, in particular its ability to successfully achieve both verifiability and ballot secrecy, a combination that cannot be achieved by other means. We review a large portion of the literature on cryptographic voting. We propose three novel technical ideas: 1. a simple and inexpensive paper-base cryptographic voting system with some interesting advantages over existing techniques, 2. a theoretical model of incoercibility for human voters with their inherent limited computational ability, and a new ballot casting system that fits the new definition, and 3. a new theoretical construct for shuffling encrypted votes in full view of public observers.by Ben Adida.Ph.D

Forward-Secure Encryption with Fast Forwarding

Forward-secure encryption (FSE) allows communicating parties to refresh their keys across epochs, in a way that compromising the current secret key leaves all prior encrypted communication secure. We investigate a novel dimension in the design of FSE schemes: fast-forwarding (FF). This refers to the ability of a stale communication party, that is stuck in an old epoch, to efficiently catch up to the newest state, and frequently arises in practice. While this dimension was not explicitly considered in prior work, we observe that one can augment prior FSEs -- both in symmetric- and public-key settings -- to support fast-forwarding which is sublinear in the number of epochs. However, the resulting schemes have disadvantages: the symmetric-key scheme is a security parameter slower than any conventional stream cipher, while the public-key scheme inherits the inefficiencies of the HIBE-based forward-secure PKE. To address these inefficiencies, we look at the common real-life situation which we call the bulletin board model, where communicating parties rely on some infrastructure -- such as an application provider -- to help them store and deliver ciphertexts to each other. We then define and construct FF-FSE in the bulletin board model, which addresses the above-mentioned disadvantages. In particular, * Our FF-stream-cipher in the bulletin-board model has: (a) constant state size; (b) constant normal (no fast-forward) operation; and (c) logarithmic fast-forward property. This essentially matches the efficiency of non-fast-forwardable stream ciphers, at the cost of constant communication complexity with the bulletin board per update. * Our public-key FF-FSE avoids HIBE-based techniques by instead using so-called updatable public-key encryption (UPKE), introduced in several recent works (and more efficient than public-key FSEs). Our UPKE-based scheme uses a novel type of update graph that we construct in this work. Our graph has constant in-degree, logarithmic diameter, and logarithmic cut property which is essential for the efficiency of our schemes. Combined with recent UPKE schemes, we get two FF-FSEs in the bulletin board model, under the DDH and the LWE assumptions

An e-Voting Scheme with Improved Resistance to Bribe and Coercion

Bribe and coercion are common in conventional voting systems and usually will lead to a biased result that imparts the desired democracy. However, these problems become more difficult to solve when using e-voting schemes. Up to now, many e-voting schemes have been proposed to provide receipt-freeness and uncoercibility to solve these problems. Unfortunately, none is both secure and practical enough. In this paper, we describe an e-voting scheme that can solve or at least lessen the problems of bribe and coercion, and can be realized with current techniques. By using smart cards to randomize part content of the ballot, the voter can not construct a receipt. By using physical voting booths, bribers and coercers can not monitor the voter while he votes. Unlike conventional voting systems, the voter of the proposed scheme can choose any voting booth that is convenient and safe to him. Furthermore, the performance of the proposed schemes is optimal in that time and communication complexity for the voter is independent of the number of voting authorities

Towards Sustainable Blockchains:Cryptocurrency Treasury and General Decision-making Systems with Provably Secure Delegable Blockchain-based Voting

The blockchain technology and cryptocurrencies, its most prevalent application, continue to gain acceptance and wide traction in research and practice within academia and the industry because of its promise in decentralised and distributed computing. Notably, the meteoric rise in the value and number of cryptocurrencies since the creation of Bitcoin in 2009 have ushered in newer innovations and interventions that addressed some of the prominent issues that affect these platforms. Despite the increased privacy, security, scalability, and energy-saving capabilities of new consensus protocols in newer systems, the development and management of blockchains, mostly, do not reflect the decentralisation principle despite blockchains being decentralised and distributed in their architecture. The concept of treasury has been identified as a tool to address this problem. We explore the idea of blockchain treasury systems within literature and practice, especially with relation to funding and decision-making power towards blockchain development and maintenance. Consequently, we propose a taxonomy for treasury models within cryptocurrencies. Thereafter, we propose an efficient community-controlled and decentralised collaborative decision-making mechanism to support the development and management of blockchains. Our proposed system incentivises participants and is proven secure under the universally composable (UC) framework while also addressing gaps identified from our investigation of prior systems e.g. non-private ballots and insecure voting. Furthermore, we adapt our system and propose a privacy-preserving general decision making system for blockchain governance that supports privacy-centric cryptocurrencies. Besides, using a set of metrics, we introduce a consensus analysis mechanism to enhance the utility of decision-making of the systems by evaluating individual choices against collective (system-wide) decisions. Finally, we provide pilot system implementations with benchmark results confirming the efficiency and practicality of our constructions

Extendable Threshold Ring Signatures with Enhanced Anonymity

Threshold ring signatures are digital signatures that allow $t$ parties to sign a message while hiding their identity in a larger set of $n$ users called \u27\u27ring\u27\u27. Recently, Aranha et al. [PKC 2022] introduced the notion of \emph{extendable} threshold ring signatures (ETRS). ETRS allow one to update, in a non-interactive manner, a threshold ring signature on a certain message so that the updated signature has a greater threshold, and/or an augmented set of potential signers. An application of this primitive is anonymous count me in. A first signer creates a ring signature with a sufficiently large ring announcing a proposition in the signed message. After such cause becomes \emph{public}, other parties can anonymously decide to support that proposal by producing an updated signature. Crucially, such applications rely on partial signatures being posted on a \emph{publicly accessible} bulletin board since users may not know/trust each other. In this paper, we first point out that even if anonymous count me in was suggested as an application of ETRS, the anonymity notion proposed in the previous work is insufficient in many application scenarios. Indeed, the existing notion guarantees anonymity only against adversaries who just see the last signature, and are not allowed to access the \u27\u27full evolution of an ETRS. This is in stark contrast with applications where partial signatures are posted in a public bulletin board. We therefore propose stronger anonymity definitions and construct a new ETRS that satisfies such definitions. Interestingly, while satisfying stronger anonymity properties, our ETRS asymptotically improves on the two ETRS presented in prior work [PKC 2022] in terms of both time complexity and signature size. Our ETRS relies on extendable non-interactive witness-indistinguishable proof of knowledge (ENIWI PoK), a novel technical tool that we formalize and construct, and that may be of independent interest. We build our constructions from pairing groups under the SXDH assumption

DeepReShape: Redesigning Neural Networks for Efficient Private Inference

Prior work on Private Inference (PI)--inferences performed directly on encrypted input--has focused on minimizing a network's ReLUs, which have been assumed to dominate PI latency rather than FLOPs. Recent work has shown that FLOPs for PI can no longer be ignored and have high latency penalties. In this paper, we develop DeepReShape, a network redesign technique that tailors architectures to PI constraints, optimizing for both ReLUs and FLOPs for the first time. The {\em key insight} is that a strategic allocation of channels such that the network's ReLUs are aligned in their criticality order simultaneously optimizes ReLU and FLOPs efficiency. DeepReShape automates network development with an efficient process, and we call generated networks HybReNets. We evaluate DeepReShape using standard PI benchmarks and demonstrate a 2.1\% accuracy gain with a 5.2$\times$ runtime improvement at iso-ReLU on CIFAR-100 and an 8.7$\times$ runtime improvement at iso-accuracy on TinyImageNet. Furthermore, we demystify the input network selection in prior ReLU optimizations and shed light on the key network attributes enabling PI efficiency.Comment: 37 pages, 23 Figures, and 17 Table

Function Secret Sharing for Mixed-Mode and Fixed-Point Secure Computation

Boyle et al. (TCC 2019) proposed a new approach for secure computation in the preprocessing model building on function secret sharing (FSS), where a gate $g$ is evaluated using an FSS scheme for the related offset family $g_r(x)=g(x+r)$. They further presented efficient FSS schemes based on any pseudorandom generator (PRG) for the offset families of several useful gates $g$ that arise in mixed-mode\u27\u27 secure computation. These include gates for zero test, integer comparison, ReLU, and spline functions. The FSS-based approach offers significant savings in online communication and round complexity compared to alternative techniques based on garbled circuits or secret sharing. In this work, we improve and extend the previous results of Boyle et al. by making the following three kinds of contributions: - Improved Key Size: The preprocessing and storage costs of the FSS-based approach directly depend on the FSS key size. We improve the key size of previous constructions through two steps. First, we obtain roughly 4x reduction in key size for Distributed Comparison Function (DCF), i.e., FSS for the family of functions f^<_a_,_b(x) that output $b$ if $x < a$ and $0$ otherwise. DCF serves as a central building block in the constructions of Boyle et al. Second, we improve the number of DCF instances required for realizing useful gates $g$. For example, whereas previous FSS schemes for ReLU and $m$-piece spline required 2 and $2m$ DCF instances, respectively, ours require only a single instance of DCF in both cases. This improves the FSS key size by 6-22x for commonly used gates such as ReLU and sigmoid. - New Gates: We present the first PRG-based FSS schemes for arithmetic and logical shift gates, as well as for bit-decomposition where both the input and outputs are shared over $Z_N$ for $N = 2^n$. These gates are crucial for many applications related to fixed-point arithmetic and machine learning. - A Barrier: The above results enable a 2-round PRG-based secure evaluation of multiply-then-truncate,\u27\u27 a central operation in fixed-point arithmetic, by sequentially invoking FSS schemes for multiplication and shift. We identify a barrier to obtaining a 1-round implementation via a single FSS scheme, showing that this would require settling a major open problem in the area of FSS: namely, a PRG-based FSS for the class of bit-conjunction functions