Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording

1
Cryptographic Algorithms for Privacy in an Age
of Ubiquitous Recording

• Brent R. Waters
• Advisor Ed Felten
• July, 2004

2
Ubiquitous Recording

• Imagine a world everything is recorded
• With increase in storage technology and other
  factors Ubiquitous Recording is becoming close to
  a reality
• Privacy concerns become very significant

3
Privacy Problems

• How do we encrypt information for someone who
  does not carry around any special devices?
• How can someone receive messages anonymously?
• How can we provide the functionality of keyword
  search while maintaining data confidentiality?

4
Contributions

• Three Cryptographic Protocols

• Fuzzy Identity Based Encryption
• Encryption using biometrics
• Receiver Anonymity via Incomparable Public Keys
• CCS 03
• Keyword Search on Asymmetrically Encrypted Data
• NDSS 04

5
Fuzzy Identity Based Encryption

• Current Research with Amit Sahai

6
A Medical Appointment

• Record visit, test results, etc.
• Encryption
• No portable device requirement (cant carry RSA
  public key)

7
Use Identity Based Encryption (IBE)

• Public Key is an identifier string
  (e.g.aaron_at_princeton.edu)
• Use global public parameters
• Master secret holder(s) can give out private keys
  to an individual that authenticates themselves
• Boneh and Franklin 01

8
Problems with Standard IBE

• What should the identities be?
• Names are not unique
• Dont necessarily want to tie to SS, Drivers
  License
• First time users
• Dont have identities yet
• Certifying oneself to authority can be
  troublesome
• Need documentation, etc.

9
Biometric as an Identity

• Biometric stays with human
• Should be unique (depends on quality of
  biometric)
• Have identity before registration
• Certification is natural

10
Biometric as an Identity

• Biometric measure changes a little each time
• Environment
• Difference in Sensors
• Small change in trait

• Cannot use a biometric as an identity in current
  IBE schemes

11
Fuzzy Identity Based Encryption

• A secret key for ID can decrypt a ciphertext
  encrypted
• with ID iff Hamming Distance(ID,ID) ? d

Encrypted with ID
Private Key for ID
12
Fuzzy Identity Based Encryption

• A secret key for ID can decrypt a ciphertext
  encrypted
• with ID iff Hamming Distance(ID,ID) ? d

Encrypted with ID
Private Key for ID
13
Designing a Fuzzy IBE Scheme

• n bit identifiers
• d Hamming distance
• Two techniques
• Shamir secret sharing using polynomials
• Bilinear maps

14
Secret Sharing

• Pick random n-1 degree polynomial q
• Secret is q(x)
• Need n points to interpolate to secret, if less
  learn nothing

x
15
Bilinear Maps
16
Setup
Distinct values in Zp
17
Key Generation
Pick random n-(d1) polynomial q(x) such that
q(x)y
18
Encryption
Pick random r and encrypt message M as CMhry
19
Decryption
Suppose we have secret key for ID, ciphertext
encrypted with ID, and Hamming Distance(ID,ID)
? d
Apply bilinear map at n-d points where ID,ID
agree
20
Decryption
Have n-d points of polynomial rq(x) (in
exponent) Can interpolate to get hrq(x) hry
Ciphertext is CMhry Divide out to get M
21
Security

• Proof for Selective ID model
• Attacker cannot attack ciphertext encrypted by
  any pre-specified ID
• Reduce to distinguishing between tuples
• (ga,gb,gc,hbc/a)
• (ga,gb,gc,hz)

22
Practicality?

• Expect 50 bits in some biometrics
• E.g. voice sample
• Approximately 80ms for bilinear map computation
• ?Around 4s for decryption

23
Related Work

• Identity Based Encryption
• Boneh and Franklin (2001)
• Canetti, Halevi, and Katz (2003)
• Encryption with Biometrics
• Monrose, Reiter, et al. (2002)
• Fuzzy Schemes
• Davida, et al. (1998)
• Juels and Wattenberg (1999)

24

25
Receiver Anonymity via Incomparable Public Keys

• Work with Ed Felten and Amit Sahai
• CCS 03

26
An Anonymous Encounter

• Communicate later
• Encryption
• Anonymity

27
Receiver Anonymity

• Alice can give Bob information that he can use to
  send messages to Alice, while keeping her true
  identity secret from Bob.

Bulletin Board alt.anonymous.messages
Anonymous ID Where are good Hang Gliding
spots? Send to alt.anonymous.messages
Bob
Alice
28
Receiver Anonymity

• Anonymous Identity
• Information allowing a sender to send messages to
  an anonymous receiver
• May contain routing and encryption information
• Requirements
• Receiver is anonymous even to the sender
• Anonymous Identity can be used several times
• Communication is secret (encrypted)
• Messages are received efficiently

29
A Common Method
Alice anonymously receives encrypted message from
both Bob and Charlie by reading a newsgroup.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
30
Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they
are encrypting with the same public key and thus
are sending messages to the same person.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
31
Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each
know about the Anonymous Receiver and are able to
compromise her anonymity.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Hang Gliding Biology gt Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
32
Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
Keys to Try 48b33c03 ae668f53
Charlie
207c5edb
33
Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 48b33c03 43bca289 ae668f53
86cf1943 56734ba b9034d40 40b2f68c
075ca5ef 2fce8473
04d2a93c
Charlie
398bac49
207c5edb
e3c8f522
46cce276
70f4ba54
34
Incomparable Public Keys

• Receiver generates a single secret key
• Receiver generates several Incomparable Public
  Keys (one for each Anonymous Identity)
• Receiver use the secret key to decrypt any
  message encrypted with any of the public keys
• Holders of Incomparable Public Keys cannot tell
  if any two keys are related (correspond to the
  same private key)

35
Efficiency of Incomparable Public Keys
Alice creates a one secret key and distributes a
different Incomparable Public Key to each sender.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 48b33c03
04d2a93c
Charlie
398bac49
207c5edb
e3c8f522
46cce276
70f4ba54
36
Construction of Incomparable Public Keys

• Based on ElGamal encryption
• All users share a global (strong) prime p
• Operations are performed in group of Quadratic
  Residues of Zp
• Secret Key Generation
• Choose an ElGamal secret key a
• Generate a new Incomparable Public Key
• Pick random generator, g, of the group
• Public key is (g,ga)

37
Security Intuition

• Cannot distinguish equivalent keys (g,ga), (h,ha)
  from non-equivalent ones (g,ga), (h,hb)
• Assuming Decisional Diffie-Hellman is hard

38
Security Intuition

• Cannot distinguish equivalent keys (g,ga), (h,ha)
  from non-equivalent ones (g,ga), (h,hb)
• Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
  respond to a message

39
Security Intuition

• Cannot distinguish equivalent keys (g,ga), (h,ha)
  from non-equivalent ones (g,ga), (h,hb)
• Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
  respond to a message

Bob
(g,ga)
Charlie
(h,ha)
40
Security Intuition

• Cannot distinguish equivalent keys (g,ga), (h,ha)
  from non-equivalent ones (g,ga), (h,hb)
• Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
  respond to a message

Bob
Pair-wise multiply
(g,ga)
Charlie
(h,ha)
41
Security Intuition

• Cannot distinguish equivalent keys (g,ga), (h,ha)
  from non-equivalent ones (g,ga), (h,hb)
• Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
  respond to a message

Bob
Pair-wise multiply
Alice can decrypt messages encrypted with this
new key.
(g,ga)
(gh,(gh)a)
Charlie
(h,ha)
42
Models of Receivers

• Passive Receiver Model
• Receiver gathers and decrypts messages, but gives
  no indication to sender about if decryption was
  successful
• Receiver cannot ask for retransmission if
  expected message is not received
• Might be realistic in a few cases
• Active Receiver Model
• Receiver decrypts messages and can interact with
  the sender

43
Solution to Active Receiver Model

• Record keys that were validly created
• The ciphertext will contain a proof about which
  key was used for encryption
• The private key holder can alternatively
  distribute each Incomparable Public Keys with its
  MAC

44
Efficiency

• Efficiency is comparable to standard ElGamal
• One exponentiation for encryption
• Two exponentiations for decryption and
  verification of a message

45
Implementation

• Implemented Incomparable Public Keys by extending
  GnuPG (PGP) 1.2.0
• Available at http//www.cs.princeton.edu/bwaters/
  research/

46
Related Work

• Bellare et al. (2001)
• Introduce notion of Key-Privacy
• If Key-Privacy is maintained an adversary cannot
  match ciphertexts with the public keys used to
  create them
• The authors do not consider anonymity from
  senders
• Pfitzmann and Waidner (1986)
• Use of multicast address for receiver anonymity
• Discuss implicit vs. explicit marks

47
Related Work (cont.)

• Chaum (1981)
• Mix-nets for sender anonymity
• Reply addresses usable only once
• Other work follows this line

48
(No Transcript)
49
Keyword Search on Asymmetrically Encrypted Data

• Work with Dirk Balfanz, Glenn Durfee, and Dianna
  Smetters
• NDSS 04

50
A Conference Room
Example Keywords Alice Smith Faculty ZebraNet Faci
lities
record storage (untrusted)
51
Desirable Characteristics

• Data Access Control
• Entries may be sensitive to individuals or log
  owner
• Searchability
• Search for log on specific criteria
• e.g keyword search
• Tension between two goals

52
Requirements

• Data Access Control
• Entries must be encrypted on untrusted storage
• Forward security in case auditing device becomes
  compromised ? asymmetric encryption
• Limit scope of data released to that of the
  search
• Searchability
• Be able to efficiently retrieve entries based on
  certain criteria
• We focus on keyword search

53
Delegating Search Capabilities
The investigator requests a capability to search
for all records that match keyword ZebraNet.
ZebraNet
1
capabilityfor search
mastersecret
Investigator
Escrow Agent
The investigator submits the capability to the
audit log and receives only entries that the
capability matches.
capabilityfor search
2
record
record
record

Investigator
records
54
Search on Asymmetrically Encrypted Data
55
Search on Asymmetrically Encrypted Data
Encrypted Data
Keywords must not be in the clear!
56
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
57
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
58
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
59
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
No information is learned
60
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
61
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
62
Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Embed decryption in search
Keywords ZebraNet Funding Alice Smith
Record
Encrypted Data
63
Using IBE to Search on Asymmetrically Encrypted
Data
64
Using IBE to Search on Asymmetrically Encrypted
Data
65
Using IBE to Search on Asymmetrically Encrypted
Data
ZebraNet
FLAG K
66
Using IBE to Search on Asymmetrically Encrypted
Data
Funding
FLAG K
ZebraNet
FLAG K
67
Using IBE to Search on Asymmetrically Encrypted
Data
68
Using IBE to Search on Asymmetrically Encrypted
Data

• FLAG used to test
• K to decrypt on match

69
Using IBE to Search on Asymmetrically Encrypted
Data

• FLAG used to test
• K to decrypt on match
• Key-privacy property?keywords kept private

70
Using IBE to Search on Asymmetrically Encrypted
Data

• FLAG used to test
• K to decrypt on match
• Key-privacy property?keywords kept private
• Pairing operation per keyword

71
Using IBE to Search on Asymmetrically Encrypted
Data
72
Using IBE to Search on Asymmetrically Encrypted
Data

• Attempt IBE decryption on each part
• Test for presence of FLAG

73
Using IBE to Search on Asymmetrically Encrypted
Data
011010

• Attempt IBE decryption on each part
• Test for presence of FLAG

74
Using IBE to Search on Asymmetrically Encrypted
Data
0011100

• Attempt IBE decryption on each part
• Test for presence of FLAG

75
Using IBE to Search on Asymmetrically Encrypted
Data
FLAG K

• Attempt IBE decryption on each part
• Test for presence of FLAG

76
Using IBE to Search on Asymmetrically Encrypted
Data
FLAG K
K

• Attempt IBE decryption on each part
• Test for presence of FLAG
• On match use K to decrypt document

77
We want to type keywords
FLAG K

• Attempt IBE decryption on each part
• Test for presence of FLAG
• On match use K to decrypt document
• Pairing per keyword in document

78
Performance

• Encryption
• One pairing per keyword in document
• One exponentiation per keyword
• Search/Decryption
• One pairing per keyword per document

79
Optimizations

• Cache pairings of frequently used keywords
• eg. ê(ZebraNet,sP)
• Only need a pairing per new keyword on encryption
• In limit exponentiation per keyword is dominant
  cost

80
Optimizations

• Cache pairings of frequently used keywords
• eg. ê(ZebraNet,sP)
• Only need a pairing per new keyword on encryption
• In limit exponentiation per keyword is dominant
  cost
• Reuse randomness for IBE encryption within one
  document
• Okay since cannot use same public key per
  document
• In decryption only one pairing per document
• Save storage in log

81
Related Work

• Searching on Encrypted Data
• Boneh, Crescenzo, Ostrovsky and Persiano (2003)
• Song, Wagner and Perrig (2000)
• Identity Based Encryption
• Boneh and Franklin (2001)

82
Contributions

• Introduced notion of Fuzzy Identity Based
  Encryption
• Designed a Fuzzy IBE scheme based on bilinear
  maps
• Proof of security
• Developed novel method for anonymously receiving
  messages
• Introduced notion of Incomparable Public Keys
• Implementation in GnuPG
• Provably secure in both Random Oracle and
  standard models

83
Contributions

• Designed a scheme for keyword search on
  asymmetrically encrypted data
• Adapted BF IBE method
• Developed techniques for improving performance

84
Future Work (Fuzzy IBE)

• Extends to set overlap metric
• Hash arbitrary strings into identities
• IDbrown-hair,Explorer
• More biometrics
• Access Control
• Dating?

3 out of 4

• Blond
• Grad Student
• Curly
• Beat Brent in bowling

85
Future Work (Fuzzy IBE)

• Extends to set overlap metric
• Hash arbitrary strings into identities
• IDbrown-hair,Explorer
• More biometrics
• Access Control
• Dating?

3 out of 4

• Blond
• Grad Student
• Curly
• Beat Brent in bowling

86
Thanks!

• Ed Felten
• Amit Sahai
• Committee
• Fellow Students

87
(No Transcript)