1 / 87

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording. Brent R. Waters Advisor: Ed Felten July, 2004. Ubiquitous Recording. Imagine a world everything is recorded With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality

brigid
Télécharger la présentation

Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording Brent R. Waters Advisor: Ed Felten July, 2004

  2. Ubiquitous Recording • Imagine a world everything is recorded • With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality • Privacy concerns become very significant Cryptographic Protocols for Memex

  3. Privacy Problems • How do we encrypt information for someone who does not carry around any special devices? • How can someone receive messages anonymously? • How can we provide the functionality of keyword search while maintaining data confidentiality? Cryptographic Protocols for Memex

  4. Contributions Three Cryptographic Protocols • Fuzzy Identity Based Encryption • Encryption using biometrics • Receiver Anonymity via Incomparable Public Keys • CCS ’03 • Keyword Search on Asymmetrically Encrypted Data • NDSS ‘04 Cryptographic Protocols for Memex

  5. Fuzzy Identity Based Encryption Current Research with Amit Sahai

  6. A Medical Appointment • Record visit, test results, etc. • Encryption • No portable device requirement (can’t carry RSA public key) Cryptographic Protocols for Memex

  7. My key is “Aaron Smith” Use Identity Based Encryption (IBE) • Public Key is an identifier string (e.g.“aaron@princeton.edu”) • Use global public parameters • Master secret holder(s) can give out private keys to an individual that authenticates themselves • Boneh and Franklin ‘01 Cryptographic Protocols for Memex

  8. Problems with Standard IBE • What should the identities be? • Names are not unique • Don’t necessarily want to tie to SS#, Driver’s License… • First time users • Don’t have identities yet • Certifying oneself to authority can be troublesome • Need documentation, etc. Cryptographic Protocols for Memex

  9. <0110010…00111010010> Biometric as an Identity • Biometric stays with human • Should be unique (depends on quality of biometric) • Have identity before registration • Certification is natural Cryptographic Protocols for Memex

  10. <0110010…00111010010> <0110110…00111010110> <0100010…00111010110> Biometric as an Identity • Biometric measure changes a little each time • Environment • Difference in Sensors • Small change in trait • Cannot use a biometric as an identity in current IBE schemes Cryptographic Protocols for Memex

  11. <0100110…00111010110> <0110010…00111010010> M Fuzzy Identity Based Encryption A secret key for IDcan decrypt a ciphertext encrypted withID’iff Hamming Distance(ID,ID’)  d Encrypted with ID’ Private Key for ID Cryptographic Protocols for Memex

  12. <0010110…00011110110> <0110010…00111010010> Fuzzy Identity Based Encryption A secret key for IDcan decrypt a ciphertext encrypted withID’iff Hamming Distance(ID,ID’)  d Encrypted with ID’ Private Key for ID Cryptographic Protocols for Memex

  13. Designing a Fuzzy IBE Scheme n bit identifiers d Hamming distance Two techniques • Shamir secret sharing using polynomials • Bilinear maps Cryptographic Protocols for Memex

  14. Secret Sharing • Pick random n-1 degree polynomial q • Secret is q(x’) • Need n points to interpolate to secret, if less learn nothing x’ Cryptographic Protocols for Memex

  15. Bilinear Maps Cryptographic Protocols for Memex

  16. Random members of Setup Distinct values in Zp Cryptographic Protocols for Memex

  17. Points depend on the identity of private key ID=< 0 1 1 …0 > Key Generation Pick random n-(d+1) polynomial q(x) such that q(x’)=y’ Cryptographic Protocols for Memex

  18. Raise public points to r that match encryption key ID’=< 0 1 0 …0 > Encryption Pick random rand encrypt message M as C=Mhry’ Cryptographic Protocols for Memex

  19. ID= < 0 1 1 …0 > ID’= < 0 1 0 …0 > Decryption Suppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)  d Apply bilinear map at n-d points where ID,ID’ agree Cryptographic Protocols for Memex

  20. Decryption Have n-d points of polynomial rq(x) (in exponent) Can interpolate to get hrq(x’)= hry’ Ciphertext is C=Mhry’ Divide out to get M Cryptographic Protocols for Memex

  21. Security • Proof for “Selective ID” model • Attacker cannot attack ciphertext encrypted by any pre-specified ID • Reduce to distinguishing between tuples: (ga,gb,gc,hbc/a) (ga,gb,gc,hz) Cryptographic Protocols for Memex

  22. Practicality? • Expect ~ 50 bits in some biometrics • E.g. voice sample • Approximately 80ms for bilinear map computation • Around 4s for decryption Cryptographic Protocols for Memex

  23. Related Work Identity Based Encryption • Boneh and Franklin (2001) • Canetti, Halevi, and Katz (2003) Encryption with Biometrics • Monrose, Reiter, et al. (2002) Fuzzy Schemes • Davida, et al. (1998) • Juels and Wattenberg (1999) Cryptographic Protocols for Memex

  24. Receiver Anonymity via Incomparable Public Keys Work with Ed Felten and Amit Sahai CCS ‘03

  25. An Anonymous Encounter • Communicate later • Encryption • Anonymity Cryptographic Protocols for Memex

  26. Receiver Anonymity Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob. Anonymous ID “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Bulletin Board alt.anonymous.messages Bob Alice Cryptographic Protocols for Memex

  27. Receiver Anonymity • Anonymous Identity • Information allowing a sender to send messages to an anonymous receiver • May contain routing and encryption information • Requirements • Receiver is anonymous even to the sender • Anonymous Identity can be used several times • Communication is secret (encrypted) • Messages are received efficiently Cryptographic Protocols for Memex

  28. A Common Method Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Cryptographic Protocols for Memex

  29. Encryption Key is Part of the Identity Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Cryptographic Protocols for Memex

  30. Encryption Key is Part of the Identity Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Hang Gliding + Biology => Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Cryptographic Protocols for Memex

  31. Independent Public Key per Sender Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice Keys to Try 48b33c03 ae668f53 Charlie 207c5edb Cryptographic Protocols for Memex

  32. Independent Public Key per Sender Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 48b33c03 43bca289 ae668f53 86cf1943 56734ba b9034d40 40b2f68c 075ca5ef 2fce8473 04d2a93c Charlie 398bac49 207c5edb e3c8f522 46cce276 70f4ba54 Cryptographic Protocols for Memex

  33. Incomparable Public Keys • Receiver generates a single secret key • Receiver generates several Incomparable Public Keys (one for each Anonymous Identity) • Receiver use the secret key to decrypt any message encrypted with any of the public keys • Holders of Incomparable Public Keys cannot tell if any two keys are related (correspond to the same private key) Cryptographic Protocols for Memex

  34. Efficiency of Incomparable Public Keys Alice creates a one secret key and distributes a different Incomparable Public Key to each sender. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 48b33c03 04d2a93c Charlie 398bac49 207c5edb e3c8f522 46cce276 70f4ba54 Cryptographic Protocols for Memex

  35. Construction of Incomparable Public Keys • Based on ElGamal encryption • All users share a global (strong) prime p • Operations are performed in group of Quadratic Residues of Zp • Secret Key Generation: • Choose an ElGamal secret key a • Generate a new Incomparable Public Key: • Pick random generator, g, of the group • Public key is (g,ga) * Cryptographic Protocols for Memex

  36. Security Intuition • Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard Cryptographic Protocols for Memex

  37. Security Intuition • Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard • However, this is not enough if the receiver might respond to a message Cryptographic Protocols for Memex

  38. Security Intuition • Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard • However, this is not enough if the receiver might respond to a message Bob (g,ga) Charlie (h,ha) Cryptographic Protocols for Memex

  39. Security Intuition • Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard • However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply (g,ga) Charlie (h,ha) Cryptographic Protocols for Memex

  40. Security Intuition • Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard • However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply Alice can decrypt messages encrypted with this new key. (g,ga) (gh,(gh)a) Charlie (h,ha) Cryptographic Protocols for Memex

  41. Models of Receivers • Passive Receiver Model • Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful • Receiver cannot ask for retransmission if expected message is not received • Might be realistic in a few cases • Active Receiver Model • Receiver decrypts messages and can interact with the sender Cryptographic Protocols for Memex

  42. Solution to Active Receiver Model • Record keys that were validly created • The ciphertext will contain a “proof” about which key was used for encryption • The private key holder can alternatively distribute each Incomparable Public Keys with its MAC Cryptographic Protocols for Memex

  43. Efficiency • Efficiency is comparable to standard ElGamal • One exponentiation for encryption • Two exponentiations for decryption and verification of a message Cryptographic Protocols for Memex

  44. Implementation • Implemented Incomparable Public Keys by extending GnuPG (PGP) 1.2.0 • Available at http://www.cs.princeton.edu/~bwaters/research/ Cryptographic Protocols for Memex

  45. Related Work • Bellare et al. (2001) • Introduce notion of Key-Privacy • If Key-Privacy is maintained an adversary cannot match ciphertexts with the public keys used to create them • The authors do not consider anonymity from senders • Pfitzmann and Waidner (1986) • Use of multicast address for receiver anonymity • Discuss implicit vs. explicit “marks” Cryptographic Protocols for Memex

  46. Related Work (cont.) • Chaum (1981) • Mix-nets for sender anonymity • Reply addresses usable only once • Other work follows this line Cryptographic Protocols for Memex

  47. Keyword Search on Asymmetrically Encrypted Data Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters NDSS ‘04

  48. A Conference Room Example Keywords Alice Smith Faculty ZebraNet Facilities record storage (untrusted) Cryptographic Protocols for Memex

More Related