cryptographic algorithms for privacy in an age of ubiquitous recording
DESCRIPTION
Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording. Brent R. Waters Advisor: Ed Felten July, 2004. Ubiquitous Recording. Imagine a world everything is recorded With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality - PowerPoint PPT PresentationTRANSCRIPT
Cryptographic Algorithms for Privacy in an Age
of Ubiquitous Recording
Brent R. WatersAdvisor: Ed Felten
July, 2004
Brent Waters Cryptographic Protocols for Memex 2
Ubiquitous Recording Imagine a world everything is recorded
With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality
Privacy concerns become very significant
Brent Waters Cryptographic Protocols for Memex 3
Privacy Problems How do we encrypt information for someone who
does not carry around any special devices?
How can someone receive messages anonymously?
How can we provide the functionality of keyword search while maintaining data confidentiality?
Brent Waters Cryptographic Protocols for Memex 4
Contributions
Three Cryptographic Protocols
Fuzzy Identity Based Encryption• Encryption using biometrics
Receiver Anonymity via Incomparable Public Keys• CCS ’03
Keyword Search on Asymmetrically Encrypted Data• NDSS ‘04
Fuzzy Identity Based Encryption
Current Research with Amit Sahai
Brent Waters Cryptographic Protocols for Memex 6
A Medical Appointment
•Record visit, test results, etc.
•Encryption
•No portable device requirement (can’t carry RSA public key)
Brent Waters Cryptographic Protocols for Memex 7
Use Identity Based Encryption (IBE)My key is“Aaron Smith”
Public Key is an identifier string (e.g.“[email protected]”)Use global public parametersMaster secret holder(s) can give out private keys to an individual that authenticates themselvesBoneh and Franklin ‘01
Brent Waters Cryptographic Protocols for Memex 8
Problems with Standard IBE What should the identities be?
• Names are not unique• Don’t necessarily want to tie to SS#, Driver’s License…
First time users• Don’t have identities yet
Certifying oneself to authority can be troublesome• Need documentation, etc.
Brent Waters Cryptographic Protocols for Memex 9
Biometric as an Identity
<0110010…00111010010>
Biometric stays with humanShould be unique (depends on quality of biometric)Have identity before registrationCertification is natural
Brent Waters Cryptographic Protocols for Memex 10
Biometric as an Identity
<0110010…00111010010>
Biometric measure changes a little each time•Environment•Difference in Sensors•Small change in trait
Cannot use a biometric as an identity in current IBE schemes
<0110110…00111010110><0100010…00111010110>
Brent Waters Cryptographic Protocols for Memex 11
Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d
M<0110010…00111010010>
<0100110…00111010110>
Private Key for IDEncrypted with ID’
Brent Waters Cryptographic Protocols for Memex 12
Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d
<0110010…00111010010>
<0010110…00011110110>
Private Key for IDEncrypted with ID’
Brent Waters Cryptographic Protocols for Memex 13
Designing a Fuzzy IBE Scheme
n bit identifiersd Hamming distance
Two techniques Shamir secret sharing using polynomials
Bilinear maps
Brent Waters Cryptographic Protocols for Memex 14
Secret Sharing
x’
Pick random n-1 degree polynomial qSecret is q(x’)Need n points to interpolate to secret, if less learn nothing
Brent Waters Cryptographic Protocols for Memex 15
Bilinear Maps
abba hggê
hggêê
hgp
,
,:
ofgenerator , ofgenerator order ,
211
21
21
Brent Waters Cryptographic Protocols for Memex 16
Setup
1,0,1,20,21,10,1 ,,,,'
nn xxxxxxx
Distinct values in Zp
1,0,1,20,21,10,1 ,,,, nn tttttt gggggg
Random members of 1
2' yh
Brent Waters Cryptographic Protocols for Memex 17
Key GenerationPick random n-(d+1) polynomial q(x) such that q(x’)=y’
ID=< 0 1 1 …0 > Points depend on the identity of private key
0,1
0,1 )(txq
g 1,2
1,2 )(txq
g 1,3
1,3 )(txq
g 0,
0, )(
n
n
txq
g
Brent Waters Cryptographic Protocols for Memex 18
EncryptionPick random r and encrypt message M asC=Mhry’
ID’=< 0 1 0 …0 > Raise public points to r that match encryption key
0,1rtg 1,2rtg 0,3rtg 0,nrtg
Brent Waters Cryptographic Protocols for Memex 19
DecryptionSuppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)
dApply bilinear map at n-d points where ID,ID’ agree ID= < 0 1 1 …0 >ID’=< 0 1 0 …
0 >
0,1rtg
0,1
0,1 )(txq
g1,2rtg
1,2
1,2 )(txq
g0,3rtg
1,3
1,3 )(txq
g0,nrtg
0,
0, )(
n
n
txq
g
)( 0,1xrqh )( 1,2xrqh )( 0,nxrqh
Brent Waters Cryptographic Protocols for Memex 20
DecryptionHave n-d points of polynomial rq(x) (in exponent)Can interpolate to get hrq(x’)= hry’
Ciphertext is C=Mhry’
Divide out to get M
Brent Waters Cryptographic Protocols for Memex 21
Security Proof for “Selective ID” model
• Attacker cannot attack ciphertext encrypted by any pre-specified ID
Reduce to distinguishing between tuples:(ga,gb,gc,hbc/a)(ga,gb,gc,hz)
Brent Waters Cryptographic Protocols for Memex 22
Practicality? Expect ~ 50 bits in some biometrics
• E.g. voice sample
Approximately 80ms for bilinear map computationAround 4s for decryption
Brent Waters Cryptographic Protocols for Memex 23
Related Work
Identity Based Encryption Boneh and Franklin (2001) Canetti, Halevi, and Katz (2003)
Encryption with Biometrics Monrose, Reiter, et al. (2002)
Fuzzy Schemes Davida, et al. (1998) Juels and Wattenberg (1999)
Receiver Anonymity via Incomparable Public Keys
Work with Ed Felten and Amit SahaiCCS ‘03
Brent Waters Cryptographic Protocols for Memex 26
An Anonymous Encounter
•Communicate later
•Encryption
•Anonymity
Brent Waters Cryptographic Protocols for Memex 27
Receiver Anonymity
Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob.
Bulletin Boardalt.anonymous.messages
Anonymous ID
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Bob
Alice
Brent Waters Cryptographic Protocols for Memex 28
Receiver Anonymity Anonymous Identity
• Information allowing a sender to send messages to an anonymous receiver
• May contain routing and encryption information
Requirements• Receiver is anonymous even to the sender• Anonymous Identity can be used several times• Communication is secret (encrypted)• Messages are received efficiently
Brent Waters Cryptographic Protocols for Memex 29
A Common Method
Bulletin Boardalt.anonymous.messages
Alice
Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
Brent Waters Cryptographic Protocols for Memex 30
Encryption Key is Part of the Identity
Bulletin Boardalt.anonymous.messages
Alice
Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
Brent Waters Cryptographic Protocols for Memex 31
Encryption Key is Part of the Identity
Bulletin Boardalt.anonymous.messages
Alice
Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
Hang Gliding + Biology => Alice
Brent Waters Cryptographic Protocols for Memex 32
Independent Public Key per Sender
Bulletin Boardalt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
Charlie
Keys to Try
48b33c03
ae668f53
Brent Waters Cryptographic Protocols for Memex 33
Independent Public Key per Sender
Bulletin Boardalt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
CharlieKeys to Try
48b33c03 43bca289
ae668f53 86cf1943
56734ba b9034d40
40b2f68c 075ca5ef
2fce8473
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
Brent Waters Cryptographic Protocols for Memex 34
Incomparable Public Keys
Receiver generates a single secret key Receiver generates several Incomparable
Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any
message encrypted with any of the public keys Holders of Incomparable Public Keys cannot
tell if any two keys are related (correspond to the same private key)
Brent Waters Cryptographic Protocols for Memex 35
Efficiency of Incomparable Public Keys
Alice
Alice creates a one secret key and distributes a different Incomparable Public Key to each sender.
Bulletin Boardalt.anonymous.messagesa45cd79e
207c5edb
Bob
CharlieKeys to Try
48b33c03
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
Brent Waters Cryptographic Protocols for Memex 36
Construction of Incomparable Public Keys Based on ElGamal encryption
• All users share a global (strong) prime p• Operations are performed in group of Quadratic
Residues of Zp
Secret Key Generation: • Choose an ElGamal secret key a
Generate a new Incomparable Public Key:• Pick random generator, g, of the group• Public key is (g,ga)
*
Brent Waters Cryptographic Protocols for Memex 37
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
Brent Waters Cryptographic Protocols for Memex 38
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Brent Waters Cryptographic Protocols for Memex 39
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
Brent Waters Cryptographic Protocols for Memex 40
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
Pair-wise multiply
Brent Waters Cryptographic Protocols for Memex 41
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
Pair-wise multiply
(gh,(gh)a)
Alice can decrypt messages encrypted with this new key.
Brent Waters Cryptographic Protocols for Memex 42
Models of Receivers Passive Receiver Model
• Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful
• Receiver cannot ask for retransmission if expected message is not received
• Might be realistic in a few cases
Active Receiver Model• Receiver decrypts messages and can interact with the
sender
Brent Waters Cryptographic Protocols for Memex 43
Solution to Active Receiver Model Record keys that were validly created
The ciphertext will contain a “proof” about which key was used for encryption
The private key holder can alternatively distribute each Incomparable Public Keys with its MAC
Brent Waters Cryptographic Protocols for Memex 44
Efficiency Efficiency is comparable to standard ElGamal
One exponentiation for encryption
Two exponentiations for decryption and verification of a message
Brent Waters Cryptographic Protocols for Memex 45
Implementation Implemented Incomparable Public Keys by
extending GnuPG (PGP) 1.2.0
Available at http://www.cs.princeton.edu/~bwaters/research/
Brent Waters Cryptographic Protocols for Memex 46
Related Work Bellare et al. (2001)
• Introduce notion of Key-Privacy• If Key-Privacy is maintained an adversary cannot match
ciphertexts with the public keys used to create them• The authors do not consider anonymity from senders
Pfitzmann and Waidner (1986)• Use of multicast address for receiver anonymity• Discuss implicit vs. explicit “marks”
Brent Waters Cryptographic Protocols for Memex 47
Related Work (cont.) Chaum (1981)
• Mix-nets for sender anonymity• Reply addresses usable only once• Other work follows this line
Keyword Search on Asymmetrically Encrypted Data
Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters
NDSS ‘04
Brent Waters Cryptographic Protocols for Memex 50
A Conference Room
Example KeywordsAlice SmithFacultyZebraNetFacilities
record storage (untrusted)
Brent Waters Cryptographic Protocols for Memex 51
Desirable Characteristics Data Access Control
• Entries may be sensitive to individuals or log owner
Searchability• Search for log on specific criteria• e.g keyword search
Tension between two goals
Brent Waters Cryptographic Protocols for Memex 52
Requirements Data Access Control
• Entries must be encrypted on untrusted storage• Forward security in case auditing device becomes
compromised asymmetric encryption• Limit scope of data released to that of the search
Searchability• Be able to efficiently retrieve entries based on certain
criteria• We focus on keyword search
Brent Waters Cryptographic Protocols for Memex 53
record
Delegating Search Capabilities
Investigator Escrow Agent
mastersecret
“ZebraNet”
capabilityfor search
Investigator records
capabilityfor search
record record …
1
2
The investigator submits the capability to the audit log and receives only entries that the capability matches.
The investigator requests a capability to search for all records that match keyword “ZebraNet”.
Brent Waters Cryptographic Protocols for Memex 54
Search on Asymmetrically Encrypted Data
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 55
Search on Asymmetrically Encrypted Data
Encrypted Data
Keywords must not be in the clear!
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 56
Search on Asymmetrically Encrypted Data
Escrow Agent
mastersecret
Encrypted Data
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 57
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 58
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 59
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
No information is learned
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 60
Search on Asymmetrically Encrypted Data
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 61
Search on Asymmetrically Encrypted Data
ZebraNet
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 62
Search on Asymmetrically Encrypted Data
ZebraNet
Search Capability
mastersecret
Encrypted Data
Embed decryption in search
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Keywords
ZebraNet
Funding
Alice Smith
Record
Brent Waters Cryptographic Protocols for Memex 63
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
Brent Waters Cryptographic Protocols for Memex 64
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
Using IBE to Search on Asymmetrically Encrypted Data
K
Brent Waters Cryptographic Protocols for Memex 65
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
Brent Waters Cryptographic Protocols for Memex 66
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
Brent Waters Cryptographic Protocols for Memex 67
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
Brent Waters Cryptographic Protocols for Memex 68
•FLAG used to test
K to decrypt on match
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 69
•FLAG used to test
K to decrypt on match
•Key-privacy propertykeywords kept private
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 70
•FLAG used to test
K to decrypt on match
•Key-privacy propertykeywords kept private
•“Pairing” operation per keyword
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 71
ZebraNet
Search Capability
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 72
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 73
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
011010…
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 74
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
0011100…
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 75
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
FLAG | K
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 76
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
•On match use K to decrypt document
FLAG | K
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 77
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
•On match use K to decrypt document
•Pairing per keyword in document
FLAG | K
We want to type keywords
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Brent Waters Cryptographic Protocols for Memex 78
Performance Encryption
• One pairing per keyword in document• One exponentiation per keyword
Search/Decryption• One pairing per keyword per document
Brent Waters Cryptographic Protocols for Memex 79
Optimizations Cache pairings of frequently used keywords
• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost
Brent Waters Cryptographic Protocols for Memex 80
Optimizations Cache pairings of frequently used keywords
• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost
Reuse randomness for IBE encryption within one document• Okay since cannot use same public key per document• In decryption only one pairing per document• Save storage in log
Brent Waters Cryptographic Protocols for Memex 81
Related Work
Searching on Encrypted Data Boneh, Crescenzo, Ostrovsky and Persiano (2003) Song, Wagner and Perrig (2000)
Identity Based Encryption Boneh and Franklin (2001)
Brent Waters Cryptographic Protocols for Memex 82
Contributions Introduced notion of Fuzzy Identity Based
Encryption• Designed a Fuzzy IBE scheme based on bilinear maps• Proof of security
Developed novel method for anonymously receiving messages• Introduced notion of Incomparable Public Keys• Implementation in GnuPG• Provably secure in both Random Oracle and standard
models
Brent Waters Cryptographic Protocols for Memex 83
Contributions Designed a scheme for keyword search on
asymmetrically encrypted data• Adapted BF IBE method• Developed techniques for improving performance
Brent Waters Cryptographic Protocols for Memex 84
Future Work (Fuzzy IBE) Extends to set overlap metric
• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…
More biometrics Access Control
Dating? •Blond•Grad Student•Curly•Beat Brent in bowling
3 out of 4
Brent Waters Cryptographic Protocols for Memex 85
Future Work (Fuzzy IBE) Extends to set overlap metric
• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…
More biometrics Access Control
Dating? •Blond•Grad Student•Curly•Beat Brent in bowling
3 out of 4
Brent Waters Cryptographic Protocols for Memex 86
Thanks! Ed Felten
Amit Sahai
Committee
Fellow Students