Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
Brent R. Waters Advisor: Ed Felten July, 2004

Cryptographic Protocols for Memex
Ubiquitous Recording Imagine a world everything is recorded With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality Privacy concerns become very significant Brent Waters Cryptographic Protocols for Memex

Privacy Problems How do we encrypt information for someone who does not carry around any special devices? How can someone receive messages anonymously? How can we provide the functionality of keyword search while maintaining data confidentiality? Brent Waters Cryptographic Protocols for Memex

Contributions Three Cryptographic Protocols Fuzzy Identity Based Encryption Encryption using biometrics Receiver Anonymity via Incomparable Public Keys CCS ’03 Keyword Search on Asymmetrically Encrypted Data NDSS ‘04 Brent Waters Cryptographic Protocols for Memex

Fuzzy Identity Based Encryption
Current Research with Amit Sahai

A Medical Appointment Record visit, test results, etc. Encryption No portable device requirement (can’t carry RSA public key) Brent Waters Cryptographic Protocols for Memex

Use Identity Based Encryption (IBE)
My key is “Aaron Smith” Public Key is an identifier string Use global public parameters Master secret holder(s) can give out private keys to an individual that authenticates themselves Boneh and Franklin ‘01 Brent Waters Cryptographic Protocols for Memex

Problems with Standard IBE
What should the identities be? Names are not unique Don’t necessarily want to tie to SS#, Driver’s License… First time users Don’t have identities yet Certifying oneself to authority can be troublesome Need documentation, etc. Brent Waters Cryptographic Protocols for Memex

Biometric as an Identity
< … > Biometric stays with human Should be unique (depends on quality of biometric) Have identity before registration Certification is natural Brent Waters Cryptographic Protocols for Memex

Biometric as an Identity
< … > < … > < … > Biometric measure changes a little each time Environment Difference in Sensors Small change in trait Cannot use a biometric as an identity in current IBE schemes Brent Waters Cryptographic Protocols for Memex

A secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’)  d Encrypted with ID’ Private Key for ID < … > < … > M Brent Waters Cryptographic Protocols for Memex

A secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’)  d Encrypted with ID’ Private Key for ID < … > < … > Brent Waters Cryptographic Protocols for Memex

Designing a Fuzzy IBE Scheme
n bit identifiers d Hamming distance Two techniques Shamir secret sharing using polynomials Bilinear maps Brent Waters Cryptographic Protocols for Memex

Secret Sharing Pick random n-1 degree polynomial q Secret is q(x’) Need n points to interpolate to secret, if less learn nothing x’ Brent Waters Cryptographic Protocols for Memex

Bilinear Maps Brent Waters Cryptographic Protocols for Memex

Setup Distinct values in Zp Random members of Brent Waters Cryptographic Protocols for Memex

Key Generation Pick random n-(d+1) polynomial q(x) such that q(x’)=y’ ID=< …0 > Points depend on the identity of private key Brent Waters Cryptographic Protocols for Memex

Encryption Pick random r and encrypt message M as C=Mhry’ ID’=< …0 > Raise public points to r that match encryption key Brent Waters Cryptographic Protocols for Memex

Decryption Suppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)  d Apply bilinear map at n-d points where ID,ID’ agree ID= < …0 > ID’= < …0 > Brent Waters Cryptographic Protocols for Memex

Decryption Have n-d points of polynomial rq(x) (in exponent) Can interpolate to get hrq(x’)= hry’ Ciphertext is C=Mhry’ Divide out to get M Brent Waters Cryptographic Protocols for Memex

Security Proof for “Selective ID” model Attacker cannot attack ciphertext encrypted by any pre-specified ID Reduce to distinguishing between tuples: (ga,gb,gc,hbc/a) (ga,gb,gc,hz) Brent Waters Cryptographic Protocols for Memex

Practicality? Expect ~ 50 bits in some biometrics E.g. voice sample Approximately 80ms for bilinear map computation Around 4s for decryption Brent Waters Cryptographic Protocols for Memex

Related Work Identity Based Encryption Boneh and Franklin (2001) Canetti, Halevi, and Katz (2003) Encryption with Biometrics Monrose, Reiter, et al. (2002) Fuzzy Schemes Davida, et al. (1998) Juels and Wattenberg (1999) Brent Waters Cryptographic Protocols for Memex

Receiver Anonymity via Incomparable Public Keys
Work with Ed Felten and Amit Sahai CCS ‘03

An Anonymous Encounter
Communicate later Encryption Anonymity Brent Waters Cryptographic Protocols for Memex

Receiver Anonymity Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob. Anonymous ID “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Bulletin Board alt.anonymous.messages Bob Alice Brent Waters Cryptographic Protocols for Memex

Receiver Anonymity Anonymous Identity Information allowing a sender to send messages to an anonymous receiver May contain routing and encryption information Requirements Receiver is anonymous even to the sender Anonymous Identity can be used several times Communication is secret (encrypted) Messages are received efficiently Brent Waters Cryptographic Protocols for Memex

A Common Method Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Brent Waters Cryptographic Protocols for Memex

Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Brent Waters Cryptographic Protocols for Memex

Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Hang Gliding + Biology => Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Brent Waters Cryptographic Protocols for Memex

Independent Public Key per Sender
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice Keys to Try 48b33c03 ae668f53 Charlie 207c5edb Brent Waters Cryptographic Protocols for Memex

Independent Public Key per Sender
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 48b33c03 43bca289 ae668f53 86cf1943 56734ba b9034d40 40b2f68c 075ca5ef 2fce8473 04d2a93c Charlie 398bac49 207c5edb e3c8f522 46cce276 70f4ba54 Brent Waters Cryptographic Protocols for Memex

Incomparable Public Keys
Receiver generates a single secret key Receiver generates several Incomparable Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any message encrypted with any of the public keys Holders of Incomparable Public Keys cannot tell if any two keys are related (correspond to the same private key) Brent Waters Cryptographic Protocols for Memex

Efficiency of Incomparable Public Keys
Alice creates a one secret key and distributes a different Incomparable Public Key to each sender. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 48b33c03 04d2a93c Charlie 398bac49 207c5edb e3c8f522 46cce276 70f4ba54 Brent Waters Cryptographic Protocols for Memex

Construction of Incomparable Public Keys
Based on ElGamal encryption All users share a global (strong) prime p Operations are performed in group of Quadratic Residues of Zp Secret Key Generation: Choose an ElGamal secret key a Generate a new Incomparable Public Key: Pick random generator, g, of the group Public key is (g,ga) * Brent Waters Cryptographic Protocols for Memex

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard Brent Waters Cryptographic Protocols for Memex

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Brent Waters Cryptographic Protocols for Memex

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob (g,ga) Charlie (h,ha) Brent Waters Cryptographic Protocols for Memex

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply (g,ga) Charlie (h,ha) Brent Waters Cryptographic Protocols for Memex

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply Alice can decrypt messages encrypted with this new key. (g,ga) (gh,(gh)a) Charlie (h,ha) Brent Waters Cryptographic Protocols for Memex

Models of Receivers Passive Receiver Model Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful Receiver cannot ask for retransmission if expected message is not received Might be realistic in a few cases Active Receiver Model Receiver decrypts messages and can interact with the sender Brent Waters Cryptographic Protocols for Memex

Solution to Active Receiver Model
Record keys that were validly created The ciphertext will contain a “proof” about which key was used for encryption The private key holder can alternatively distribute each Incomparable Public Keys with its MAC Brent Waters Cryptographic Protocols for Memex

Efficiency Efficiency is comparable to standard ElGamal One exponentiation for encryption Two exponentiations for decryption and verification of a message Brent Waters Cryptographic Protocols for Memex

Implementation Implemented Incomparable Public Keys by extending GnuPG (PGP) 1.2.0 Available at Brent Waters Cryptographic Protocols for Memex

Related Work Bellare et al. (2001) Introduce notion of Key-Privacy If Key-Privacy is maintained an adversary cannot match ciphertexts with the public keys used to create them The authors do not consider anonymity from senders Pfitzmann and Waidner (1986) Use of multicast address for receiver anonymity Discuss implicit vs. explicit “marks” Brent Waters Cryptographic Protocols for Memex

Related Work (cont.) Chaum (1981) Mix-nets for sender anonymity Reply addresses usable only once Other work follows this line Brent Waters Cryptographic Protocols for Memex

Keyword Search on Asymmetrically Encrypted Data
Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters NDSS ‘04

A Conference Room Example Keywords Alice Smith Faculty ZebraNet
Facilities record storage (untrusted) Brent Waters Cryptographic Protocols for Memex

Desirable Characteristics
Data Access Control Entries may be sensitive to individuals or log owner Searchability Search for log on specific criteria e.g keyword search Tension between two goals Brent Waters Cryptographic Protocols for Memex

Requirements Data Access Control Entries must be encrypted on untrusted storage Forward security in case auditing device becomes compromised  asymmetric encryption Limit scope of data released to that of the search Searchability Be able to efficiently retrieve entries based on certain criteria We focus on keyword search Brent Waters Cryptographic Protocols for Memex

Delegating Search Capabilities
The investigator requests a capability to search for all records that match keyword “ZebraNet”. “ZebraNet” 1 capability for search master secret Investigator Escrow Agent The investigator submits the capability to the audit log and receives only entries that the capability matches. capability for search 2 record record … record Investigator records Brent Waters Cryptographic Protocols for Memex

Search on Asymmetrically Encrypted Data
Recording Device Keywords ZebraNet Funding Alice Smith Record Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record Encrypted Data Keywords must not be in the clear! Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Encrypted Data Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Encrypted Data PlanetLab Search Capability Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Encrypted Data PlanetLab Search Capability No information is learned Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Encrypted Data Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Encrypted Data ZebraNet Search Capability Brent Waters Cryptographic Protocols for Memex

Recording Device Keywords ZebraNet Funding Alice Smith Record master secret Escrow Agent Embed decryption in search Encrypted Data Record Keywords ZebraNet Funding Alice Smith ZebraNet Search Capability Brent Waters Cryptographic Protocols for Memex

Using IBE to Search on Asymmetrically Encrypted Data
Keywords ZebraNet Funding Alice Smith Record Recording Device Brent Waters Cryptographic Protocols for Memex

Keywords ZebraNet Funding Alice Smith Record Recording Device K Brent Waters Cryptographic Protocols for Memex

Keywords ZebraNet Funding Alice Smith Record Recording Device “ZebraNet” FLAG | K K Brent Waters Cryptographic Protocols for Memex

Keywords ZebraNet Funding Alice Smith Record Recording Device “Funding” FLAG | K “ZebraNet” FLAG | K K Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” Keywords ZebraNet Funding Alice Smith Record Recording Device K Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” Keywords ZebraNet Funding Alice Smith Record Recording Device K FLAG used to test K to decrypt on match Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” Keywords ZebraNet Funding Alice Smith Record Recording Device K FLAG used to test K to decrypt on match Key-privacy propertykeywords kept private Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” Keywords ZebraNet Funding Alice Smith Record Recording Device K FLAG used to test K to decrypt on match Key-privacy propertykeywords kept private “Pairing” operation per keyword Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability K Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability K Attempt IBE decryption on each part Test for presence of FLAG Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” 011010… ZebraNet Search Capability K Attempt IBE decryption on each part Test for presence of FLAG Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability … K Attempt IBE decryption on each part Test for presence of FLAG Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability FLAG | K K Attempt IBE decryption on each part Test for presence of FLAG Brent Waters Cryptographic Protocols for Memex

FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability FLAG | K K Attempt IBE decryption on each part Test for presence of FLAG On match use K to decrypt document Brent Waters Cryptographic Protocols for Memex

We want to type keywords
FLAG | K “ZebraNet” “Funding” “Alice Smith” ZebraNet Search Capability FLAG | K K Attempt IBE decryption on each part Test for presence of FLAG On match use K to decrypt document Pairing per keyword in document Brent Waters Cryptographic Protocols for Memex

Performance Encryption One pairing per keyword in document One exponentiation per keyword Search/Decryption One pairing per keyword per document Brent Waters Cryptographic Protocols for Memex

Optimizations Cache pairings of frequently used keywords eg. ê(“ZebraNet”,sP) Only need a pairing per new keyword on encryption In limit exponentiation per keyword is dominant cost Brent Waters Cryptographic Protocols for Memex

Optimizations Cache pairings of frequently used keywords eg. ê(“ZebraNet”,sP) Only need a pairing per new keyword on encryption In limit exponentiation per keyword is dominant cost Reuse randomness for IBE encryption within one document Okay since cannot use same public key per document In decryption only one pairing per document Save storage in log Brent Waters Cryptographic Protocols for Memex

Related Work Searching on Encrypted Data Boneh, Crescenzo, Ostrovsky and Persiano (2003) Song, Wagner and Perrig (2000) Identity Based Encryption Boneh and Franklin (2001) Brent Waters Cryptographic Protocols for Memex

Contributions Introduced notion of Fuzzy Identity Based Encryption Designed a Fuzzy IBE scheme based on bilinear maps Proof of security Developed novel method for anonymously receiving messages Introduced notion of Incomparable Public Keys Implementation in GnuPG Provably secure in both Random Oracle and standard models Brent Waters Cryptographic Protocols for Memex

Contributions Designed a scheme for keyword search on asymmetrically encrypted data Adapted BF IBE method Developed techniques for improving performance Brent Waters Cryptographic Protocols for Memex

Future Work (Fuzzy IBE)
Extends to set overlap metric Hash arbitrary strings into identities ID=“brown-hair”,”Explorer”… More biometrics Access Control Dating? 3 out of 4 Blond Grad Student Curly Beat Brent in bowling Brent Waters Cryptographic Protocols for Memex

Thanks! Ed Felten Amit Sahai Committee Fellow Students Brent Waters Cryptographic Protocols for Memex

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Similar presentations

Presentation on theme: "Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Similar presentations

Presentation on theme: "Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording"— Presentation transcript:

Similar presentations

About project

Feedback