cryptographic algorithms for privacy in an age of ubiquitous recording

Cryptographic Algorithms for Privacy in an Age

of Ubiquitous Recording

Brent R. WatersAdvisor: Ed Felten

July, 2004

Brent Waters Cryptographic Protocols for Memex 2

Ubiquitous Recording Imagine a world everything is recorded

With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality

Privacy concerns become very significant


Privacy Problems How do we encrypt information for someone who

does not carry around any special devices?

How can someone receive messages anonymously?

How can we provide the functionality of keyword search while maintaining data confidentiality?


Contributions

Three Cryptographic Protocols

Fuzzy Identity Based Encryption• Encryption using biometrics

Receiver Anonymity via Incomparable Public Keys• CCS ’03

Keyword Search on Asymmetrically Encrypted Data• NDSS ‘04

Fuzzy Identity Based Encryption

Current Research with Amit Sahai


A Medical Appointment

•Record visit, test results, etc.

•Encryption

•No portable device requirement (can’t carry RSA public key)


Use Identity Based Encryption (IBE)My key is“Aaron Smith”

Public Key is an identifier string (e.g.“[email protected]”)Use global public parametersMaster secret holder(s) can give out private keys to an individual that authenticates themselvesBoneh and Franklin ‘01


Problems with Standard IBE What should the identities be?

• Names are not unique• Don’t necessarily want to tie to SS#, Driver’s License…

First time users• Don’t have identities yet

Certifying oneself to authority can be troublesome• Need documentation, etc.


Biometric as an Identity

<0110010…00111010010>

Biometric stays with humanShould be unique (depends on quality of biometric)Have identity before registrationCertification is natural

http://images.google.com/imgres?imgurl=www.srtdist.com/fingerprint.gif&imgrefurl=http://www.srtdist.com/digital_persona.htm&h=269&w=223&sz=9&tbnid=GE_cVcuf0WEJ:&tbnh=107&tbnw=89&prev=/images%3Fq%3Dfingerprint%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8


Biometric as an Identity

<0110010…00111010010>

Biometric measure changes a little each time•Environment•Difference in Sensors•Small change in trait

Cannot use a biometric as an identity in current IBE schemes

<0110110…00111010110><0100010…00111010110>

http://images.google.com/imgres?imgurl=www.srtdist.com/fingerprint.gif&imgrefurl=http://www.srtdist.com/digital_persona.htm&h=269&w=223&sz=9&tbnid=GE_cVcuf0WEJ:&tbnh=107&tbnw=89&prev=/images%3Fq%3Dfingerprint%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8


Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d

M<0110010…00111010010>

<0100110…00111010110>

Private Key for IDEncrypted with ID’


Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d

<0110010…00111010010>

<0010110…00011110110>

Private Key for IDEncrypted with ID’


Designing a Fuzzy IBE Scheme

n bit identifiersd Hamming distance

Two techniques Shamir secret sharing using polynomials

Bilinear maps


Secret Sharing

x’

Pick random n-1 degree polynomial qSecret is q(x’)Need n points to interpolate to secret, if less learn nothing


Bilinear Maps

abba hggê

hggêê

hgp

,

,:

ofgenerator , ofgenerator order ,

211

21

21


Setup

1,0,1,20,21,10,1 ,,,,'

nn xxxxxxx

Distinct values in Zp

1,0,1,20,21,10,1 ,,,, nn tttttt gggggg

Random members of 1

2' yh


Key GenerationPick random n-(d+1) polynomial q(x) such that q(x’)=y’

ID=< 0 1 1 …0 > Points depend on the identity of private key

0,1

0,1 )(txq

g 1,2

1,2 )(txq

g 1,3

1,3 )(txq

g 0,

0, )(

n

n

txq

g


EncryptionPick random r and encrypt message M asC=Mhry’

ID’=< 0 1 0 …0 > Raise public points to r that match encryption key

0,1rtg 1,2rtg 0,3rtg 0,nrtg


DecryptionSuppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)

dApply bilinear map at n-d points where ID,ID’ agree ID= < 0 1 1 …0 >ID’=< 0 1 0 …

0 >

0,1rtg

0,1

0,1 )(txq

g1,2rtg

1,2

1,2 )(txq

g0,3rtg

1,3

1,3 )(txq

g0,nrtg

0,

0, )(

n

n

txq

g

)( 0,1xrqh )( 1,2xrqh )( 0,nxrqh


DecryptionHave n-d points of polynomial rq(x) (in exponent)Can interpolate to get hrq(x’)= hry’

Ciphertext is C=Mhry’

Divide out to get M


Security Proof for “Selective ID” model

• Attacker cannot attack ciphertext encrypted by any pre-specified ID

Reduce to distinguishing between tuples:(ga,gb,gc,hbc/a)(ga,gb,gc,hz)


Practicality? Expect ~ 50 bits in some biometrics

• E.g. voice sample

Approximately 80ms for bilinear map computationAround 4s for decryption


Related Work

Identity Based Encryption Boneh and Franklin (2001) Canetti, Halevi, and Katz (2003)

Encryption with Biometrics Monrose, Reiter, et al. (2002)

Fuzzy Schemes Davida, et al. (1998) Juels and Wattenberg (1999)

Receiver Anonymity via Incomparable Public Keys

Work with Ed Felten and Amit SahaiCCS ‘03


An Anonymous Encounter

•Communicate later

•Encryption

•Anonymity


Receiver Anonymity

Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob.

Bulletin Boardalt.anonymous.messages

Anonymous ID

“Where are good Hang Gliding spots?”

Send to: alt.anonymous.messages

Bob

Alice


Receiver Anonymity Anonymous Identity

• Information allowing a sender to send messages to an anonymous receiver

• May contain routing and encryption information

Requirements• Receiver is anonymous even to the sender• Anonymous Identity can be used several times• Communication is secret (encrypted)• Messages are received efficiently


A Common Method


Alice

Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup.

Anonymous ID 1



Encrypt with: a45cd79e

Anonymous ID 2

“What Biology conferences are interesting?”



Bob

Charlie


Encryption Key is Part of the Identity


Alice

Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person.

Anonymous ID 1




Anonymous ID 2




Bob

Charlie


Encryption Key is Part of the Identity


Alice

Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity.

Anonymous ID 1




Anonymous ID 2




Bob

Charlie

Hang Gliding + Biology => Alice


Independent Public Key per Sender


Alice

Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.

a45cd79e

207c5edb

Bob

Charlie

Keys to Try

48b33c03

ae668f53


Independent Public Key per Sender


Alice

Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.

a45cd79e

207c5edb

Bob

CharlieKeys to Try

48b33c03 43bca289

ae668f53 86cf1943

56734ba b9034d40

40b2f68c 075ca5ef

2fce8473

207defb1

70f4ba54

04d2a93c

398bac49

e3c8f522

b593f399

46cce276


Incomparable Public Keys

Receiver generates a single secret key Receiver generates several Incomparable

Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any

message encrypted with any of the public keys Holders of Incomparable Public Keys cannot

tell if any two keys are related (correspond to the same private key)


Efficiency of Incomparable Public Keys

Alice

Alice creates a one secret key and distributes a different Incomparable Public Key to each sender.

Bulletin Boardalt.anonymous.messagesa45cd79e

207c5edb

Bob

CharlieKeys to Try

48b33c03

207defb1

70f4ba54

04d2a93c

398bac49

e3c8f522

b593f399

46cce276


Construction of Incomparable Public Keys Based on ElGamal encryption

• All users share a global (strong) prime p• Operations are performed in group of Quadratic

Residues of Zp

Secret Key Generation: • Choose an ElGamal secret key a

Generate a new Incomparable Public Key:• Pick random generator, g, of the group• Public key is (g,ga)

*


Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)

from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard




However, this is not enough if the receiver might respond to a message





Bob

Charlie(h,ha

)

(g,ga

)



from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard


Bob

Charlie(h,ha

)

(g,ga

)

Pair-wise multiply



from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard


Bob

Charlie(h,ha

)

(g,ga

)

Pair-wise multiply

(gh,(gh)a)

Alice can decrypt messages encrypted with this new key.


Models of Receivers Passive Receiver Model

• Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful

• Receiver cannot ask for retransmission if expected message is not received

• Might be realistic in a few cases

Active Receiver Model• Receiver decrypts messages and can interact with the

sender


Solution to Active Receiver Model Record keys that were validly created

The ciphertext will contain a “proof” about which key was used for encryption

The private key holder can alternatively distribute each Incomparable Public Keys with its MAC


Efficiency Efficiency is comparable to standard ElGamal

One exponentiation for encryption

Two exponentiations for decryption and verification of a message


Implementation Implemented Incomparable Public Keys by

extending GnuPG (PGP) 1.2.0

Available at http://www.cs.princeton.edu/~bwaters/research/


Related Work Bellare et al. (2001)

• Introduce notion of Key-Privacy• If Key-Privacy is maintained an adversary cannot match

ciphertexts with the public keys used to create them• The authors do not consider anonymity from senders

Pfitzmann and Waidner (1986)• Use of multicast address for receiver anonymity• Discuss implicit vs. explicit “marks”


Related Work (cont.) Chaum (1981)

• Mix-nets for sender anonymity• Reply addresses usable only once• Other work follows this line

Keyword Search on Asymmetrically Encrypted Data

Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters

NDSS ‘04


A Conference Room

Example KeywordsAlice SmithFacultyZebraNetFacilities

record storage (untrusted)


Desirable Characteristics Data Access Control

• Entries may be sensitive to individuals or log owner

Searchability• Search for log on specific criteria• e.g keyword search

Tension between two goals


Requirements Data Access Control

• Entries must be encrypted on untrusted storage• Forward security in case auditing device becomes

compromised asymmetric encryption• Limit scope of data released to that of the search

Searchability• Be able to efficiently retrieve entries based on certain

criteria• We focus on keyword search


record

Delegating Search Capabilities

Investigator Escrow Agent

mastersecret

“ZebraNet”

capabilityfor search

Investigator records

capabilityfor search

record record …

1

2

The investigator submits the capability to the audit log and receives only entries that the capability matches.

The investigator requests a capability to search for all records that match keyword “ZebraNet”.


Search on Asymmetrically Encrypted Data

Recording Device Keywords

ZebraNet

Funding

Alice Smith

Record



Encrypted Data

Keywords must not be in the clear!


ZebraNet

Funding

Alice Smith

Record



Escrow Agent

mastersecret

Encrypted Data


ZebraNet

Funding

Alice Smith

Record



PlanetLab

Search Capability

mastersecret

Encrypted Data

Escrow Agent


ZebraNet

Funding

Alice Smith

Record



PlanetLab

Search Capability

mastersecret

Encrypted Data

No information is learned

Escrow Agent


ZebraNet

Funding

Alice Smith

Record



mastersecret

Encrypted Data

Escrow Agent


ZebraNet

Funding

Alice Smith

Record



ZebraNet

Search Capability

mastersecret

Encrypted Data

Escrow Agent


ZebraNet

Funding

Alice Smith

Record



ZebraNet

Search Capability

mastersecret

Encrypted Data

Embed decryption in search

Escrow Agent


ZebraNet

Funding

Alice Smith

Record

Keywords

ZebraNet

Funding

Alice Smith

Record


Using IBE to Search on Asymmetrically Encrypted Data

Keywords

ZebraNet

Funding

Alice Smith

Record Recording Device


Keywords

ZebraNet

Funding

Alice Smith



K



Keywords

ZebraNet

Funding

Alice Smith


K

FLAG | K“ZebraNet”



Keywords

ZebraNet

Funding

Alice Smith


K


FLAG | K“Funding”




FLAG | K“Alice Smith”


Keywords

ZebraNet

Funding

Alice Smith


K


•FLAG used to test

K to decrypt on match


Keywords

ZebraNet

Funding

Alice Smith


K







•Key-privacy propertykeywords kept private


Keywords

ZebraNet

Funding

Alice Smith


K







•Key-privacy propertykeywords kept private

•“Pairing” operation per keyword


Keywords

ZebraNet

Funding

Alice Smith


K





ZebraNet

Search Capability


K





ZebraNet

Search Capability

•Attempt IBE decryption on each part

Test for presence of FLAG


K





ZebraNet

Search Capability



011010…


K





ZebraNet

Search Capability



0011100…


K





ZebraNet

Search Capability



FLAG | K


K





ZebraNet

Search Capability



•On match use K to decrypt document

FLAG | K


K





ZebraNet

Search Capability



•On match use K to decrypt document

•Pairing per keyword in document

FLAG | K

We want to type keywords

K





Performance Encryption

• One pairing per keyword in document• One exponentiation per keyword

Search/Decryption• One pairing per keyword per document


Optimizations Cache pairings of frequently used keywords

• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost


Optimizations Cache pairings of frequently used keywords

• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost

Reuse randomness for IBE encryption within one document• Okay since cannot use same public key per document• In decryption only one pairing per document• Save storage in log


Related Work

Searching on Encrypted Data Boneh, Crescenzo, Ostrovsky and Persiano (2003) Song, Wagner and Perrig (2000)

Identity Based Encryption Boneh and Franklin (2001)


Contributions Introduced notion of Fuzzy Identity Based

Encryption• Designed a Fuzzy IBE scheme based on bilinear maps• Proof of security

Developed novel method for anonymously receiving messages• Introduced notion of Incomparable Public Keys• Implementation in GnuPG• Provably secure in both Random Oracle and standard

models


Contributions Designed a scheme for keyword search on

asymmetrically encrypted data• Adapted BF IBE method• Developed techniques for improving performance


Future Work (Fuzzy IBE) Extends to set overlap metric

• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…

More biometrics Access Control

Dating? •Blond•Grad Student•Curly•Beat Brent in bowling

3 out of 4


Thanks! Ed Felten

Amit Sahai

Committee

Fellow Students

cryptographic algorithms for privacy in an age of ubiquitous recording

Documents

idmutable fields

zpmutable fields

naturalmutable fields

significantmutable fields

nothingmutable fields

amit sahaimutable fields

rsa public keymutable

id dprivate key