Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Cryptographic Algorithms for Privacy in an Age

of Ubiquitous Recording

Brent R. WatersAdvisor: Ed Felten

July, 2004

Brent Waters Cryptographic Protocols for Memex 2

Ubiquitous Recording Imagine a world everything is recorded

With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality

Privacy concerns become very significant

Privacy Problems How do we encrypt information for someone who

does not carry around any special devices?

How can someone receive messages anonymously?

How can we provide the functionality of keyword search while maintaining data confidentiality?

Contributions

Three Cryptographic Protocols

Fuzzy Identity Based Encryption• Encryption using biometrics

Receiver Anonymity via Incomparable Public Keys• CCS ’03

Keyword Search on Asymmetrically Encrypted Data• NDSS ‘04

Fuzzy Identity Based Encryption

Current Research with Amit Sahai

A Medical Appointment

•Record visit, test results, etc.

•Encryption

•No portable device requirement (can’t carry RSA public key)

Use Identity Based Encryption (IBE)My key is“Aaron Smith”

Public Key is an identifier string (e.g.“aaron@princeton.edu”)Use global public parametersMaster secret holder(s) can give out private keys to an individual that authenticates themselvesBoneh and Franklin ‘01

Problems with Standard IBE What should the identities be?

• Names are not unique• Don’t necessarily want to tie to SS#, Driver’s License…

First time users• Don’t have identities yet

Certifying oneself to authority can be troublesome• Need documentation, etc.

Biometric as an Identity

<0110010…00111010010>

Biometric stays with humanShould be unique (depends on quality of biometric)Have identity before registrationCertification is natural

Biometric as an Identity

<0110010…00111010010>

Biometric measure changes a little each time•Environment•Difference in Sensors•Small change in trait

Cannot use a biometric as an identity in current IBE schemes

<0110110…00111010110><0100010…00111010110>

Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d

M<0110010…00111010010>

<0100110…00111010110>

Private Key for IDEncrypted with ID’

Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d

<0110010…00111010010>

<0010110…00011110110>

Private Key for IDEncrypted with ID’

Designing a Fuzzy IBE Scheme

n bit identifiersd Hamming distance

Two techniques Shamir secret sharing using polynomials

Bilinear maps

Secret Sharing

Pick random n-1 degree polynomial qSecret is q(x’)Need n points to interpolate to secret, if less learn nothing

Bilinear Maps

abba hggê

hggêê

ofgenerator , ofgenerator order ,

1,0,1,20,21,10,1 ,,,,'

nn xxxxxxx

Distinct values in Zp

1,0,1,20,21,10,1 ,,,, nn tttttt gggggg

Random members of 1

Key GenerationPick random n-(d+1) polynomial q(x) such that q(x’)=y’

ID=< 0 1 1 …0 > Points depend on the identity of private key

0,1 )(txq

1,2 )(txq

1,3 )(txq

EncryptionPick random r and encrypt message M asC=Mhry’

ID’=< 0 1 0 …0 > Raise public points to r that match encryption key

0,1rtg 1,2rtg 0,3rtg 0,nrtg

DecryptionSuppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)

dApply bilinear map at n-d points where ID,ID’ agree ID= < 0 1 1 …0 >ID’=< 0 1 0 …

0,1rtg

0,1 )(txq

g1,2rtg

1,2 )(txq

g0,3rtg

1,3 )(txq

g0,nrtg

)( 0,1xrqh )( 1,2xrqh )( 0,nxrqh

DecryptionHave n-d points of polynomial rq(x) (in exponent)Can interpolate to get hrq(x’)= hry’

Ciphertext is C=Mhry’

Divide out to get M

Security Proof for “Selective ID” model

• Attacker cannot attack ciphertext encrypted by any pre-specified ID

Reduce to distinguishing between tuples:(ga,gb,gc,hbc/a)(ga,gb,gc,hz)

Practicality? Expect ~ 50 bits in some biometrics

• E.g. voice sample

Approximately 80ms for bilinear map computationAround 4s for decryption

Related Work

Identity Based Encryption Boneh and Franklin (2001) Canetti, Halevi, and Katz (2003)

Encryption with Biometrics Monrose, Reiter, et al. (2002)

Fuzzy Schemes Davida, et al. (1998) Juels and Wattenberg (1999)

Receiver Anonymity via Incomparable Public Keys

Work with Ed Felten and Amit SahaiCCS ‘03

An Anonymous Encounter

•Communicate later

•Encryption

•Anonymity

Receiver Anonymity

Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob.

Bulletin Boardalt.anonymous.messages

Anonymous ID

“Where are good Hang Gliding spots?”

Send to: alt.anonymous.messages

Receiver Anonymity Anonymous Identity

• Information allowing a sender to send messages to an anonymous receiver

• May contain routing and encryption information

Requirements• Receiver is anonymous even to the sender• Anonymous Identity can be used several times• Communication is secret (encrypted)• Messages are received efficiently

A Common Method

Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup.

Anonymous ID 1

Encrypt with: a45cd79e

Anonymous ID 2

“What Biology conferences are interesting?”

Charlie

Encryption Key is Part of the Identity

Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person.

Anonymous ID 1

Anonymous ID 2

Charlie

Encryption Key is Part of the Identity

Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity.

Anonymous ID 1

Anonymous ID 2

Charlie

Hang Gliding + Biology => Alice

Independent Public Key per Sender

Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.

a45cd79e

207c5edb

Charlie

Keys to Try

48b33c03

ae668f53

Independent Public Key per Sender

Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.

a45cd79e

207c5edb

CharlieKeys to Try

48b33c03 43bca289

ae668f53 86cf1943

56734ba b9034d40

40b2f68c 075ca5ef

2fce8473

207defb1

70f4ba54

04d2a93c

398bac49

e3c8f522

b593f399

46cce276

Incomparable Public Keys

Receiver generates a single secret key Receiver generates several Incomparable

Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any

message encrypted with any of the public keys Holders of Incomparable Public Keys cannot

tell if any two keys are related (correspond to the same private key)

Efficiency of Incomparable Public Keys

Alice creates a one secret key and distributes a different Incomparable Public Key to each sender.

Bulletin Boardalt.anonymous.messagesa45cd79e

207c5edb

CharlieKeys to Try

48b33c03

207defb1

70f4ba54

04d2a93c

398bac49

e3c8f522

b593f399

46cce276

Construction of Incomparable Public Keys Based on ElGamal encryption

• All users share a global (strong) prime p• Operations are performed in group of Quadratic

Residues of Zp

Secret Key Generation: • Choose an ElGamal secret key a

Generate a new Incomparable Public Key:• Pick random generator, g, of the group• Public key is (g,ga)

Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)

from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard

However, this is not enough if the receiver might respond to a message

Charlie(h,ha

from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard

Charlie(h,ha

Pair-wise multiply

from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard

Charlie(h,ha

Pair-wise multiply

(gh,(gh)a)

Alice can decrypt messages encrypted with this new key.

Models of Receivers Passive Receiver Model

• Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful

• Receiver cannot ask for retransmission if expected message is not received

• Might be realistic in a few cases

Active Receiver Model• Receiver decrypts messages and can interact with the

sender

Solution to Active Receiver Model Record keys that were validly created

The ciphertext will contain a “proof” about which key was used for encryption

The private key holder can alternatively distribute each Incomparable Public Keys with its MAC

Efficiency Efficiency is comparable to standard ElGamal

One exponentiation for encryption

Two exponentiations for decryption and verification of a message

Implementation Implemented Incomparable Public Keys by

extending GnuPG (PGP) 1.2.0

Available at http://www.cs.princeton.edu/~bwaters/research/

Related Work Bellare et al. (2001)

• Introduce notion of Key-Privacy• If Key-Privacy is maintained an adversary cannot match

ciphertexts with the public keys used to create them• The authors do not consider anonymity from senders

Pfitzmann and Waidner (1986)• Use of multicast address for receiver anonymity• Discuss implicit vs. explicit “marks”

Related Work (cont.) Chaum (1981)

• Mix-nets for sender anonymity• Reply addresses usable only once• Other work follows this line

Keyword Search on Asymmetrically Encrypted Data

Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters

NDSS ‘04

A Conference Room

Example KeywordsAlice SmithFacultyZebraNetFacilities

record storage (untrusted)

Desirable Characteristics Data Access Control

• Entries may be sensitive to individuals or log owner

Searchability• Search for log on specific criteria• e.g keyword search

Tension between two goals

Requirements Data Access Control

• Entries must be encrypted on untrusted storage• Forward security in case auditing device becomes

compromised asymmetric encryption• Limit scope of data released to that of the search

Searchability• Be able to efficiently retrieve entries based on certain

criteria• We focus on keyword search

record

Delegating Search Capabilities

Investigator Escrow Agent

mastersecret

“ZebraNet”

capabilityfor search

Investigator records

capabilityfor search

record record …

The investigator submits the capability to the audit log and receives only entries that the capability matches.

The investigator requests a capability to search for all records that match keyword “ZebraNet”.

Search on Asymmetrically Encrypted Data

Recording Device Keywords

ZebraNet

Funding

Alice Smith

Record

Encrypted Data

Keywords must not be in the clear!

ZebraNet

Funding

Alice Smith

Record

Escrow Agent

mastersecret

Encrypted Data

ZebraNet

Funding

Alice Smith

Record

PlanetLab

Search Capability

mastersecret

Encrypted Data

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

PlanetLab

Search Capability

mastersecret

Encrypted Data

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

PlanetLab

Search Capability

mastersecret

Encrypted Data

No information is learned

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

mastersecret

Encrypted Data

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

ZebraNet

Search Capability

mastersecret

Encrypted Data

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

ZebraNet

Search Capability

mastersecret

Encrypted Data

Embed decryption in search

Escrow Agent

ZebraNet

Funding

Alice Smith

Record

Keywords

ZebraNet

Funding

Alice Smith

Record

Using IBE to Search on Asymmetrically Encrypted Data

Keywords

ZebraNet

Funding

Alice Smith

Record Recording Device

Keywords

ZebraNet

Funding

Alice Smith

Keywords

ZebraNet

Funding

Alice Smith

FLAG | K“ZebraNet”

Keywords

ZebraNet

Funding

Alice Smith

FLAG | K“Funding”

FLAG | K“Alice Smith”

Keywords

ZebraNet

Funding

Alice Smith

•FLAG used to test

K to decrypt on match

Keywords

ZebraNet

Funding

Alice Smith

•Key-privacy propertykeywords kept private

Keywords

ZebraNet

Funding

Alice Smith

•Key-privacy propertykeywords kept private

•“Pairing” operation per keyword

Keywords

ZebraNet

Funding

Alice Smith

ZebraNet

Search Capability

ZebraNet

Search Capability

•Attempt IBE decryption on each part

Test for presence of FLAG

ZebraNet

Search Capability

011010…

ZebraNet

Search Capability

0011100…

ZebraNet

Search Capability

FLAG | K

ZebraNet

Search Capability

•On match use K to decrypt document

FLAG | K

ZebraNet

Search Capability

•On match use K to decrypt document

•Pairing per keyword in document

FLAG | K

We want to type keywords

Performance Encryption

• One pairing per keyword in document• One exponentiation per keyword

Search/Decryption• One pairing per keyword per document

Optimizations Cache pairings of frequently used keywords

• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost

Optimizations Cache pairings of frequently used keywords

• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost

Reuse randomness for IBE encryption within one document• Okay since cannot use same public key per document• In decryption only one pairing per document• Save storage in log

Related Work

Searching on Encrypted Data Boneh, Crescenzo, Ostrovsky and Persiano (2003) Song, Wagner and Perrig (2000)

Identity Based Encryption Boneh and Franklin (2001)

Contributions Introduced notion of Fuzzy Identity Based

Encryption• Designed a Fuzzy IBE scheme based on bilinear maps• Proof of security

Developed novel method for anonymously receiving messages• Introduced notion of Incomparable Public Keys• Implementation in GnuPG• Provably secure in both Random Oracle and standard

models

Contributions Designed a scheme for keyword search on

asymmetrically encrypted data• Adapted BF IBE method• Developed techniques for improving performance

Future Work (Fuzzy IBE) Extends to set overlap metric

• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…

More biometrics Access Control

Dating? •Blond•Grad Student•Curly•Beat Brent in bowling

3 out of 4

Future Work (Fuzzy IBE) Extends to set overlap metric

• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…

More biometrics Access Control

Dating? •Blond•Grad Student•Curly•Beat Brent in bowling

3 out of 4

Thanks! Ed Felten

Amit Sahai

Committee

Fellow Students

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Documents

Transcript of Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Ubiquitous learning. What is ubiquitous learning? Computing and communication technologies Characteristics of ubiquitous learning Context and ubiquitous.

Content Provisioning for Ubiquitous Learningyu/Ubiquitous Learning.pdf · Content Provisioning for Ubiquitous Learning ... ubiquitous computing becoming ... ontologies are organized

Cryptographic Techniques

Samsung Kernel Cryptographic Module - CSRC · The Samsung Kernel Cryptographic Module is a software only security level 1 cryptographic module that provides general-purpose cryptographic

Cryptographic AES

Origami voting: a non-cryptographic approach to transparent … · 2020. 9. 23. · Hanifatunnisa, R., Rahardjo, B.: Blockchain based e-voting recording system design. In: 2017 11th

Ubiquitous Computing, Ubiquitous Services

การเข้ารหัสลับ Cryptographic

Cryptographic Protocols

Cryptographic Hashes

A Survey of Cryptographic and Stegano-Cryptographic Models ...

Mission Tabperformance, music recording, music publishing, educational outreach, or media broadcasting, the elements of the music industry are ubiquitous in their presence. The field

cryptographic security

Cryptographic Extraction

Cryptographic Sboxes - Šibenik, Croatiasummerschool-croatia.cs.ru.nl/2014/slides/Cryptographic S-Boxes.pdf · Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr Summer School,

Cryptographic Applications

NIST Cryptographic Algorithm Validation Program …...NIST Cryptographic Algorithm Validation Program (CAVP) Certifications for Freescale Cryptographic Accelerators, Rev. 1.9 2 Freescale

Ubiquitous learning, ubiquitous computing, & lived experience

Hardware/Software Co-verification of Cryptographic ... of Cryptographic Algorithms using Cryptol ... Property specification and verification ... cryptographic hash algorithm, ...Published

Cryptographic Future