privacy-preserving & user-auditable pseudonym systems - ibmun... · examples: social security...

Privacy-Preserving & User-Auditable Pseudonym Systems

Jan Camenisch, Anja Lehmann

IBM Research – Zurich

Motivation: How to maintain related yet distributed data ?

▪ examples: social security system, ehealth– different entities maintain data of citizens– eventually data needs to be exchanged or correlated

2

ID Data

Bob.0411

Carol.2503

Dave.1906

ID Data

Alice.1210

Bob.0411

Carol.2503

HospitalDoctor A

HealthInsurance

Doctor BDoctor A

Laboratory

Hospital

▪ simple solution: data gets associated with globally unique identifiers (e.g., US, Belgium, Sweden, ...)

▪ unique identifiers are security & privacy risk

– no control about data exchange & usage

– if associated data is lost, all pieces can be linked together

– user is fully traceable

Record ofBob.0411?

▪ user data is associated with random looking local identifiers – the pseudonyms

▪ only central entity – the converter – can link & convert pseudonyms

Local Pseudonyms & Trusted Converter

3

ID Data

ML3m5

sD7Ab

y2B4m

Record of P89dyfrom Hospital?

Record ofML3m5 ?

+ control about data exchange

+ if records are lost, pieces cannot be linked together

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Main ID Doctor A Hospital

Alice.1210 Hba02 7twnG

Bob.0411 P89dy ML3m5

Carol.2503 912uj sD7Ab

Converter



+ converter can provide audit logs to users (GDPR-requirement)

Local Pseudonyms & Trusted Converter

4

ID Data

ML3m5

sD7Ab

y2B4m


Record ofML3m5 ?

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital





Converter

Unique ID

Bob.0411

Doctor A → Hospital. 02/26/2017…

User Portal for Bob.0411

– converter learns all request & knows all correlations






Privacy-Preserving Pseudonym System (CCS’15)

5

ID Data

ML3m5

sD7Ab

y2B4m


Record ofML3m5 ?

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital





Converter

Unique ID

Bob.0411









This work: Privacy-Preserving & User-Auditable Pseudonym System

6

ID Data

ML3m5

sD7Ab

y2B4m


Record ofML3m5 ?

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital





Converter

Unique ID

Bob.0411






▪ user, converter & server jointly derive pseudonyms from unique identifiers

(Un)linkable Pseudonyms | Pseudonym Generation

7

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

Unique ID

Bob.0411

P89dy

ML3m5

▪ previous work [CL15]: generation required converter to know user IDs

▪ this work: oblivious pseudonym generation triggered by user

▪ only converter can link & convert pseudonyms, but does so in a blind way

(Un)linkable Pseudonyms | Pseudonym Conversion

8

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

Record ofP89dy

at Hospital

Record ofP89dy

at Hospital

Record ofP89dy

at Hospital

blind conversion request

Record ofML3m5 ?

Record ofP89dy ?

Record ofP89dy ?

blind conversion

unblinding conversion response

▪ only converter can link & convert pseudonyms, but does so in a blind way

▪ every conversion triggers blind generation of audit log entry

(Un)linkable Pseudonyms | Pseudonym Conversion & Audit Logs

9

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

Record ofP89dy

at Hospital

Record ofP89dy

at Hospital

Record ofP89dy

at Hospital

blind conversion request

Record ofML3m5 ?

Record ofP89dy ?

Record ofP89dy ?

blind conversion

unblinding conversion response

Unique ID

Bob.0411

Audit Bulletin Board

Doctor A → Hospital. 02/26/2017

▪ audit log entries are only accessible by the affected user

▪ pseudonym conversions & generatios are fully consistent

▪ conversions are transitive, unlinkable data can be aggregated

(Un)linkable Pseudonyms | Consistency

10

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

ID Data

6Wz6P

fX4o7

RtE14

Insurance

$

$

$

Invoice for

RtE14

Invoice for

ML3m5

Invoice for

P89dy

Our Protocol

▪ high-level idea of convertible pseudonyms

▪ adding (efficient) auditability

▪ security against active adversaries

High-level Idea | Pseudonym Generation

12

Converter X [4] SA decrypts pseudonymnymi,A ← Dec(skA,C’nym)

k, for each server: xA, xB, xC, …

Server A

uidi

zi[2] Ui encrypts zi for SA

Cnym ← Enc(pkA,zi)

nymi,A

[3] X blindly computes nymi,A

C’nym ← CnymxA

Cnym

C’nym

[1] X and Ui jointly computezi ← OPRF(k,uidi)

Core IdeaGeneration: X blindly computes nymi,A ← PRF(k,uidi )xA

pkA ,skA

High-level Idea | Pseudonym Conversion

13

Converter X

Server A

[2] X blindly transforms encrypted pseudonymC' ← C Δ with Δ = xB / xA

C‘ = Enc(pkB, nymi,A) xB / xA

C ' = Enc(pkB, PRF(k,uidi) xA) xB / xA

C‘ ' = Enc(pkB, PRF(k,uidi) xB)

C‘ ‘ = Enc(pkB, nymi,B)

[1] SA encrypts nymi,A under SB's keyC ← Enc(pkB, nymi,A)

k, for each server: xA, xB, xC, …

Server B

C, SB, qid

C', SA, qid

[3] SB decrypts converted pseudonymnymi,B ← Dec(skB , C')

pkA ,skA

pkB ,skB

nymi,A

nymi,B

Core IdeaGeneration: X blindly computes nymi,A ← PRF(k,uidi )xA

Conversion: X blindly computes nymi,B ← nymi,AxB / xA

High-level Idea

14

Converter X

Server A

Server B

ConvRequest

ConvResponse

Converter X Server ANymResponse

NymRequest

nymi,A

nymi,B

nymi,A

Generation

Conversion

High-level Idea | Adding Auditability

15

Converter X

Server A

Server B

ConvRequest, upk’’

ConvResponse, upk’’’

Converter X Server ANymResponse, upk’

NymRequest, upk’

nymi,A, upk’

usk, upk upk is randomizable encryption keyupk‘ ← RAND(upk)

nymi,A, upk’

nymi,B, upk’’’C* ← Enc(upk’’, info)

decrypt all audit ciphertexts:info ← Dec(usk,C*) ?

C*…


Generation

Conversion

High-level Idea | Adding Efficient Auditability (via Audit Tags)

16

Converter X

Server A

Server B

ConvRequest, upk’’, TA


Converter X Server ANymResponse, upk’, CT

NymRequest, upk’, CT

nymi,A, upk’, TA

usk, upk, {TA}

nymi,A, upk’, TA

TA, C*…


decrypt ciphertext for TA:info ← Dec(usk,C*)

CT ← Enc(pkA, TA) … for random TA

TA ← Dec(skA, CT)

C* ← Enc(upk’’, info)nymi,B, upk’’’

Generation

Conversion


17

Converter X

Server A

Server B

ConvRequest, upk’’, TA, C*TA


Converter X Server A

Generation

Conversion

NymResponse, upk’, CT


nymi,A, upk’, TA

usk, upk, {TA, T’A,…}

nymi,A, upk’, TA

TA, C*



TA ← Dec(skA, CT)

Tag Chain: C* ← Enc(upk’’, info)

get new audit tags for TA :T’A ← Dec(usk, C*TA)

TA, C*TA

C*TA ← Enc(upk’’, T’A) … for random T’A

T’A


nymi,B, upk’’’

C*TB


18

Converter X

Server A

Server B



Generation

Conversion

NymResponse, upk’, CT


nymi,A, upk’, TA

usk, upk, {TA, T’A, TB …}

nymi,A, upk’, TA

nymi,B, upk’’’, TB

TA, C*




TA ← Dec(skA, CT)


get new audit tags for TA :T’A ← Dec(usk, C*TA) TB ← Dec(usk, C*TB)

TA, C*TA

TA, C*TB C*TB ← Enc(upk’’’, TB) … for random TB

ConvRequest, upk’’, TA, C*TA


T’A

C*TB

High-level Idea | Security against Active Adversaries

19

Converter X

Server A

Server B

ConvRequest, upk’’, TA, C*TA, πA



Generation

Conversion

NymResponse, upk’, CTnymi,A, upk’, TA

usk, upk, {TA, T’A, TB …}

nymi,A, upk’, TA

nymi,B, upk’’’, TB

TA, C*



TA ← Dec(skA, CT)


get new audit tags for TA :T’A ← Dec(usk, C*TA) TB ← Dec(usk, C*TB)

TA, C*TA

TA, C*TB


C*TB ← Enc(upk’’’, TB) … for random TB

T’A



Signature scheme for homomorphic encodings

(Un)linkable & Auditable Pseudonyms | Security & Efficiency

▪ provably secure construction in the Universal Composability (UC) framework based on

– homomorphic encryption scheme (ElGamal encryption)

– homomorphic encryption scheme with re-randomizable public keys (ElGamal-based)

– oblivious pseudorandom function with committed outputs (based on Dodis-Yampolskiy-PRF)

– signature scheme for homomorphic encoding functions (based on Groth signature scheme)

– zero-knowledge proofs (Fiat-Shamir NIZKs)

– commitment scheme (ElGamal based)

▪ secure against actively corrupt users & servers, and honest-but-curious converter

▪ concrete instantiation ~50ms computational time per party for conversion

20

(Un)linkable & Auditable Pseudonyms | Summary

▪ pseudonym scheme for (un)linkable data storage with controlled & auditable data exchange

▪ pseudonyms can only be linked via a central, but oblivious converter

▪ oblivious converter blindly generates user-centric audit logs

▪ conversions & audit logs are done in a blind way → converter must not be a trusted entity

→ paradigm shift: unlinkability per default, linkability only when necessary

21

[email protected]

Thanks! Questions?

(Un)linkable & Auditable Pseudonyms | Efficiency

(Un)linkable Pseudonyms | Corruption Model

23

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

Unique ID

Bob.0411

P89dy

ML3m5


?

▪ servers and users can be fully corrupt

▪ converter at most honest-but-curious

▪ pseudonym generation is deterministic & consistent with blind conversion


24

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

Unique ID

Bob.0411

P89dy

ML3m5

▪ pseudonym conversions are transitive, unlinkable data can be aggregated


25

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Doctor A

Hospital

Converter

ID Data

6Wz6P

fX4o7

RtE14

Insurance

$

$

$

Invoice for

RtE14

Invoice for

ML3m5

Invoice for

P89dy

privacy-preserving & user-auditable pseudonym systems - ibmun... · examples: social security...

Documents