Privacy-Preserving Outsourced Profiling

SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS

Privacy-Preserving

Outsourced Profiling

Debmalya Biswas, Florian Kerschbaum

SAP Research, Karlsruhe, Germany

Stephan Haller

SAP Research, Zurich, Switzerland

© SAP 2007 /

Motivation

Personalized services attract high-value customers.

Knowing the preferences and habits of customers, it is possible to offer well customized and

adapted services.

This is advantageous for the entity offering the service (e.g., a retailer) as well, as it helps in

creating additional sales or improve customer retention.

© SAP 2007 /

Challenges

The accuracy of profiling depends on the amount of data available.

In an ideal scenario, the profile of each individual customer would be available to create such

personalized services.

However, the lack of trust prevalent in today’s world prevents customers from sharing their

shopping history with profilers due to

fear of privacy loss,

possibility of spamming,

data theft, etc.

Even retailers are unwilling to share their respective customer profiles with other retailers due

to competitive reasons.

© SAP 2007 /

Contributions

Efficient encryption schemes enabling profiling in a privacy preserving fashion

Customer always remains in control of his shopping data exposed to the profilers.

Possible to profile on data from multiple retailers.

Customer shopping data is recorded directly by the respective retailers.

No additonal overhead on the customers to enter their shopping data in the system.

Data can be stored at a 3rd party storage provider facility, i.e. outsourced.

Allows independent audits.

Prevents retailers from having to invest in their own infrastructure.

© SAP 2007 /

Problem Scenario

Retailers store customer shopping data at 3rd party storage facility.

Customers can verify their stored data, and also authorize keywords w.r.t which Profilers can search their

data.

The storage provider is not able to access any of the stored data.

Send

Targeted

Services

Customer (C)

Profiler (P)

Retailer (R)

Purchase Goods

Storage Provider (S)

Profilling

Store Shopping Data

Verify

Shopping Data

Integrity

© SAP 2007 /

Encryption Scheme 1: PERK

Combines two encryption schemes:

Proxy re-encryption: allows a ciphertext for A to be re-encrypted into a ciphertext for B (can be

decrypted using B’s private key).

Search over encrypted data: Public-key Encryption with Keyword Search (PEKS)

© SAP 2007 /

Encryption Scheme 1:

PERK

PERK consists of the following polynomial time randomized algorithms:

KGEN(1k) outputs a public-private key pair: (Apub,Apriv).

ENC(Apub,m) outputs cA1, the message m encrypted under public key Apub.

PRK(Apriv, Bpub) outputs a re-encryption key rkA→B that allows ciphertexts generated using A’s public

key to be decrypted by B’s private key.

RENC(rkA→B, cA1) outputs the ciphertext cB2 generated by re-encrypting cA1 under rkA→B.

DEC(Bpriv, cB2) decrypts cB2 using Bpriv, returning the message m.

SENC(Apub,W,m) outputs a searchable encryption sW of message m under keyword W and Apub.

DOOR(Apriv,W) outputs a trapdoor tW that allows to search by keyword W.

TEST(Apub, sW, tW′) outputs the message m if W = W′.

© SAP 2007 /

Application of PERK to perform Privacy

Preserving Profiling

Initial setup:

Retailer R and customer C run KGEN(1k) to

generate their respective public-private key pairs:

(Rpub,Rpriv) and (Cpub,Cpriv).

Customer C registers with storage provider S: C

sends to S his public key Cpub and contact details

Cv and CAd on which he would like to receive

verification and advertisement notifications. The

reference uC of the newly created record is

returned to C.

Customer C registers with retailer R: C sends the

pair <Cpub, uC> to R.

R generates the re-encryption key rkR→C =

PRK(Rpriv,Cpub) for C and stores it in the record

referenced by uC.

Customer (C)

Profiler (P)

Retailer (R)


© SAP 2007 /


Preserving Profiling, Contd ...

For each shopping transaction performed by C at R:

Store C’s shopping transaction data at the designated

storage space SD provided by S:

C presents a unique id rCi to R. rCi is the reference

of the pre-allocated storage for C at SD by S.

R encrypts the shopping transaction data dCi of C

under its public key Rpub generating the ciphertext

cR1 = ENC(Rpub, dCi).

R then stores the encrypted data cR1 in the record

referenced by rCi at SD.

Customer (C)

Profiler (P)

Retailer (R)

Purchase Goods


Store Shopping Data

© SAP 2007 /



Verify the integrity of stored shopping transaction data

at SD:

S updates the record referenced by rCi, re-

encrypting cR1 under rkR→C, generating the

ciphertext cC2 = RENC(rkR→C, cR1).

S sends a notification to C via CV, notifying him

that new shopping data is now available for

verification at the data record referenced by rCi.

C accesses the ciphertext cC2 from SD by

reference rCi.

C then decrypts cC2 using his secret key Cpriv to

obtain dCi = DEC(Cpriv, cC2).

C is now in a position to verify the integrity of his

stored shopping transaction data dCi at SD.

Customer (C)

Profiler (P)

Retailer (R)


Verify Shopping

Data Integrity

© SAP 2007 /



C generates searchable encryptions: For each chosen

keyword f,

C generates a corresponding searchable

encryption value sf = SENC(Cpub, f, dCi). C then

updates the shopping transaction record

referenced by rCi at SD, inserting the ciphertext sf.

C gets the list of authorized service providers P1, ·

· · , Pn with respect to keyword f from S.

C generates the trapdoor tf = DOOR(Cpriv, f), and

sends it to P1, · · · , Pn.

Send

Trapdoors

Customer (C)

Profiler (P)

Retailer (R)


Profilling

© SAP 2007 /



Profiling:

For each authorized keyword f, Profiler P

compares his trapdoor values tf with the

searchable encryption values sf exposed by each

customer C. On successful match, P obtains the

shopping transaction data dCi = TEST(Cpub, sf, tf).

P uses the acquired shopping data of customers to

perform profiling.

P provides targeted services to customers,

notifying each customer C via CAd.

Send

Targeted

Services

Customer (C)

Profiler (P)

Retailer (R)


Profilling

© SAP 2007 /

Encryption Scheme 1: Security & Performance

Security:

The encryption scheme PERK = (KGEN, ENC, PRK, RENC, DEC, SENC,DOOR, TEST) is

semantically secure against a chosen plaintext attack in the random oracle model assuming CoDDH is

intractable.

Performance:

The trapdoors need to be generated only once per (authorized) Profiler, and not for each transaction.

If the set of keywords with respect to which C would like expose his shopping data to P remains

constant over time, then the trapdoors can also be generated as part of the initial setup.

© SAP 2007 /


PERKd

Alternate scheme where the retailers and profilers agree on a pre-defined

set of keywords for profiling.

Retailer R stores Customer C’s shopping data at storage facility S encrypted using its public

key Rpub, as well as generates searchable encryptions w.r.t the pre-defined keywords.

S re-encrypts it to a form that can be decrypted by C’s private key Cpriv.

C verifies his shopping data and can choose (delete, NOT add) keywords w.r.t which his data

is exposed by providing corresponding trapdoors to Profiler P.

P can check if a customer shopping record contains a specific keyword using the given

trapdoors.

© SAP 2007 /


PERKd Comparison with PERK

No random oracles needed.

The retailer R, and not the Customer C, is responsible for generating the searchable

encryptions w.r.t the pre-defined keywords.

As such, no SENC algorithm in PERKd.

The other main difference is with respect to the type of data that finally becomes available to

the profilers for profiling:

PERK outputs the whole shopping record on successful match.

PERKd only lets the profilers know if a shopping record of C contains a specific keyword.

© SAP 2007 /

Conclusion

We presented two encryption schemes to perform profiling in a privacy preserving

fashion.

In comparison to the state-of-the-art:

Profiling across multiple retailers, not limited to a single retailer.

Full privacy control over own profile by the customer. Profilers only get access to portions of

the shopping data that the customer explicitly gives them access to, and only in a

pseudonymised fashion.

From a security perspective, this is the first proposal to combine proxy re-encryption and

searchable encryption schemes

Privacy-Preserving Outsourced Profiling

Technology

Transcript of Privacy-Preserving Outsourced Profiling