Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZQL ZQL a cryptographic compiler for processing private data George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial CraigMu’s review,

Published byAmberlynn Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "ZQL ZQL a cryptographic compiler for processing private data George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial CraigMu’s review,"— Presentation transcript:

1 ZQL ZQL a cryptographic compiler for processing private data George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial CraigMu’s review, Feb’12

2 Privacy at odds with big data produced, processed, and stored Private data? – Personal, medical, financial, legal… A controversial trust issue – Show-stopper when deploying new technology – High potential for negative press – Strong EU regulations Wanted: generic tools for privacy-friendly data processing (as in dolphin-friendly tuna) Data Privacy

3 Example 1: Smart Metering

4 Privacy-Preserving Smart Metering Only the monthly fee need to be sent back to the utility (not the detailed meter readings) certified readings (private data) Utility Provider User, paying her monthly bill price to pay + crypto evidence Smart Meter variable policy & rates

5 Example 2: Pay-how- you-drive insurance

6

7 (…)

8 Pay-how-you-drive insurance Only the premium needs to be communicated to the insurance company User, paying her insurance fee fee to pay + crypto evidence certified pricing policy certified location, speed and distance (private data) Insurance company

9 Many similar problems (Partly) private user data Public pricing policy Conflicting goals: Privacy for the user Concealing meter readings Concealing locations, speed and distance Integrity for the verifier Only the correct price can be proved

10 So far, ad hoc cryptographic solutions Bespoke privacy-preserving protocols using a mix of cryptographic mechanisms – Linear policies using homomorphic commitments – Cumulative policies using zero-knowledge proofs on CL-signatures – Penalty-based policies (Pay-how-you-drive) ? Also many protocols for anonymous credentials, e-cash, e-voting These protocols are available today, but they hard to design, implement, and deploy – We cannot involve cryptographers and security experts each time we change the query or revise the service policy!

11 Goal: private data processing 1.a high-level language for querying data 2.an optimizing, verifying query compiler – selects cryptographic constructions – generates code for different platforms – verifies its security before deployment certified private data certified public data Service, or Verifier in need of valid results Client, or Prover in control of her data query results + crypto evidence Reliable Data Providers agreement on a data query

12 Integrity and Privacy (Ideal) Client, or Prover in control of her data Trusted Third Party Reliable Data Providers “Ok.” Service, or Verifier in need of valid results

13 ZQL: a language for querying private data SQL [Structured Query Language, 1970—]: a fine declarative domain-specific language for querying relational DBs ZQL [Zero-Knowledge Query Language]: a subset of SQL extended for cryptographic processing – privacy annotations – random sampling – hash, sign,… – big numbers for keys, group elements, exponents, … The SQL theory carries over to ZQL, despite unusual data: – Useful algebraic properties – Efficient evaluation plans and representations (e.g. indexing)

14 fast, portable low-level code in C queries expressed in SQL+crypto query expressed in SQL ZQL compiler We emit code for each participant reference high-level code in F# data privacy specification F# generator We generate a query for each participant, with matching I/Os Q(T 1 …T n ) T sign 1 Q prove Q verify T 1 : … Qv.c Qp.c T1.cQv.fs Qp.fs T1.fs C generator Compiler Architecture crypto.fs ZQL.fs runtime libraries

15 Sample SQL query for Smart Metering Consider billing with a variable-rate linear policy Meter timereading 12/1 00:00241 12/1 00:15322 12/1 00:30325 12/1 00:45116 12/1 01:00538 … Policy timerate 12/1 00:0012 12/1 00:1512 12/1 00:3015 12/1 00:4515 12/1 01:0015 … Bill := SELECT time, cost = reading * rate FROM Meter |><| Policy WHERE time in 1/1..31/1/2011 fee := SUM cost FROM Bill The source query is:

16 (2) the client now computes two sums instead of one Commit timecommit Policy timerate public signed datasecret data + Open readingopening (1) the meter generates and signs commitments Inside ZQL: Compiling the metering query public rates Open := SELECT time, reading, opening = RNG() FROM Meter Commit:= SELECT time, commit = g^reading * h^opening FROM Open g^payment * h^proof =g^(SUM (reading * rate)) * h^(SUM (opening * rate)) = PROD (g^reading * h^opening)^rate = PROD commit^rate payment := SUM reading * rate FROM Open |><| Policy proof := SUM opening * rate FROM Open |><| Policy g^payment * h^proof =?= PROD commit ^ rate FROM Commit |><| Policy (3) the utility checks them against the signed commitments

17 Inside ZQL: Compiling pay-how-you-drive (outline) This query joins tables on secret columns: we must prove that the join includes rows from the policy tables without revealing which rows we actually use GPS private readings timeroadspeedmileage SpeedLimit roadmax Penalty overpoints Policy timepointsrate let Over = SELECT over = speed - max FROM GPS |><| SpeedLimit let total = SUM points FROM Over |><| Penalty let payment = SUM mileage * rate FROM GPS |><| Policy WHERE points = total

18 GPS private readings timeroadspeedmileageopeningcommit This query joins tables on secret columns: we must prove that the join includes rows from the policy tables without revealing which rows we actually use For each row in a join, the prover generates a zero-knowledge proof of knowledge of a matching signed row in the policy table SpeedLimit roadmaxCLsig Penalty overpointsCLsig Policy timepointsrateCLsig Inside ZQL: Compiling pay-how-you-drive (outline) let Over = SELECT over = speed - max FROM GPS |><| SpeedLimit let total = SUM points FROM Over |><| Penalty let payment = SUM mileage * rate FROM GPS |><| Policy WHERE points = total

19 Expressiveness & Performance When operating on secrets, we support a fragment of SQL 1.Linear expressions 2.Polynomials expressions 3.Table lookups 4.Inequalities Current limitation: The shape of intermediate tables must be public Fresh cryptography: vector commitments for implementing private intermediate tables Linear overhead in the number of secrets Linear: 128 bytes/row prove 300,000 row/S check 90,000 row/S Non-Linear: 6586 bytes/row prove87 row/S check41 row/S Performance dominated by bignum multiplications: – We rely on recent extensions of core crypto algorithms (thanks to XCG)

20 Security? Our compiler automatically generate complex protocol implementations – Hard to test or review – How can the user tell whether her privacy is preserved? Our compiler then calls independent, automated tools to verify that these implementations are secure – Privacy: the service learns nothing more than the query result – Integrity: the user can build evidence only for the correct result F# generator Qv.fs Qp.fs T1.fs ZQL compiler Q(T 1 …T n ) T 1 : …

21 Security Verification (2003—) We develop a cryptographic verification kit for new protocol implementations [with A.D. Gordon, K. Bhargavan] – Tools: ProVerif, FS2PV, FS2CV, F7, F*… – Mostly for F#, with experiments for C and C# We automatically verify large implementations against precise cryptographic assumptions – Probabilistic security: “no secret information flows to the adversary” – Computational security: “except with a negligible probability, no adversary can…” Verification case studies: – TLS 1.2 Internet Standard [with MSR-INRIA]; web services security – DKM for cloud data [with T. Acar, D.Shumow] deployed on MS datacenters – TPM2 [with P. England, D. Wooten, F. Dupressoir, and RISE] shipping with Win8

22 typed specification in F7reference implementation in F# F# generator Qv.fs Qp.fs T1.fs F7 generator Qv.fs7 Qp.fs7 T1.fs7 F7 typing We get either a compile-time error (bug) or strong integrity & privacy theorems query expressed in SQL ZQL compiler Q(T 1 …T n ) T 1 : … Crypto.fs7 ZQL.fs7 Towards a certifying ZQL Compiler We generate proof goals and type annotations to keep track of query evaluations We use F7 to automatically prove that implementations conform with their specifications

23 ZQL: Privacy-Friendly Data Processing 1.With ZQL, clients process their own private data & services still get correct results 2.Programmers specify their SQL queries & privacy goals; we compile them into zero-knowledge protocols 3.The security of fresh crypto implementations can be automatically verified (at compile-time) under standard security assumptions

24 ©2011 Microsoft Corporation. All rights reserved.

Download ppt "ZQL ZQL a cryptographic compiler for processing private data George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial CraigMu’s review,"

Similar presentations

Multi-RQP Generating Test Databases for the Functional Testing of OLTP Applications Carsten Binnig Joint work with: Donald Kossmann, Eric Lo DBTest Workshop,

Multi-RQP Generating Test Databases for the Functional Testing of OLTP Applications Carsten Binnig Joint work with: Donald Kossmann, Eric Lo DBTest Workshop,
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
© Chinese University, CSE Dept. Software Engineering / 1 - 1 Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.

© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Efficient Query Evaluation on Probabilistic Databases

Efficient Query Evaluation on Probabilistic Databases
A Practical Smart Metering System Supporting Privacy Preserving Billing and Load Monitoring Hsiao-Ying Lin National Chiao Tung University Joint work with.

A Practical Smart Metering System Supporting Privacy Preserving Billing and Load Monitoring Hsiao-Ying Lin National Chiao Tung University Joint work with.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Similar presentations

Ads by Google