Title: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
1Cryptographic Algorithms for Privacy in an Age
of Ubiquitous Recording
- Brent R. Waters
- Advisor Ed Felten
- July, 2004
2Ubiquitous Recording
- Imagine a world everything is recorded
- With increase in storage technology and other
factors Ubiquitous Recording is becoming close to
a reality - Privacy concerns become very significant
3Privacy Problems
- How do we encrypt information for someone who
does not carry around any special devices? - How can someone receive messages anonymously?
- How can we provide the functionality of keyword
search while maintaining data confidentiality?
4Contributions
- Three Cryptographic Protocols
- Fuzzy Identity Based Encryption
- Encryption using biometrics
- Receiver Anonymity via Incomparable Public Keys
- CCS 03
- Keyword Search on Asymmetrically Encrypted Data
- NDSS 04
5Fuzzy Identity Based Encryption
- Current Research with Amit Sahai
6A Medical Appointment
- Record visit, test results, etc.
- Encryption
- No portable device requirement (cant carry RSA
public key)
7Use Identity Based Encryption (IBE)
- Public Key is an identifier string
(e.g.aaron_at_princeton.edu) - Use global public parameters
- Master secret holder(s) can give out private keys
to an individual that authenticates themselves - Boneh and Franklin 01
8Problems with Standard IBE
- What should the identities be?
- Names are not unique
- Dont necessarily want to tie to SS, Drivers
License - First time users
- Dont have identities yet
- Certifying oneself to authority can be
troublesome - Need documentation, etc.
9Biometric as an Identity
- Biometric stays with human
- Should be unique (depends on quality of
biometric) - Have identity before registration
- Certification is natural
10Biometric as an Identity
- Biometric measure changes a little each time
- Environment
- Difference in Sensors
- Small change in trait
- Cannot use a biometric as an identity in current
IBE schemes
11Fuzzy Identity Based Encryption
- A secret key for ID can decrypt a ciphertext
encrypted - with ID iff Hamming Distance(ID,ID) ? d
Encrypted with ID
Private Key for ID
12Fuzzy Identity Based Encryption
- A secret key for ID can decrypt a ciphertext
encrypted - with ID iff Hamming Distance(ID,ID) ? d
Encrypted with ID
Private Key for ID
13Designing a Fuzzy IBE Scheme
- n bit identifiers
- d Hamming distance
- Two techniques
- Shamir secret sharing using polynomials
- Bilinear maps
14Secret Sharing
- Pick random n-1 degree polynomial q
- Secret is q(x)
- Need n points to interpolate to secret, if less
learn nothing
x
15Bilinear Maps
16Setup
Distinct values in Zp
17Key Generation
Pick random n-(d1) polynomial q(x) such that
q(x)y
18Encryption
Pick random r and encrypt message M as CMhry
19Decryption
Suppose we have secret key for ID, ciphertext
encrypted with ID, and Hamming Distance(ID,ID)
? d
Apply bilinear map at n-d points where ID,ID
agree
20Decryption
Have n-d points of polynomial rq(x) (in
exponent) Can interpolate to get hrq(x) hry
Ciphertext is CMhry Divide out to get M
21Security
- Proof for Selective ID model
- Attacker cannot attack ciphertext encrypted by
any pre-specified ID - Reduce to distinguishing between tuples
- (ga,gb,gc,hbc/a)
- (ga,gb,gc,hz)
22Practicality?
- Expect 50 bits in some biometrics
- E.g. voice sample
- Approximately 80ms for bilinear map computation
- ?Around 4s for decryption
23Related Work
- Identity Based Encryption
- Boneh and Franklin (2001)
- Canetti, Halevi, and Katz (2003)
- Encryption with Biometrics
- Monrose, Reiter, et al. (2002)
- Fuzzy Schemes
- Davida, et al. (1998)
- Juels and Wattenberg (1999)
24 25Receiver Anonymity via Incomparable Public Keys
- Work with Ed Felten and Amit Sahai
- CCS 03
26An Anonymous Encounter
- Communicate later
- Encryption
- Anonymity
27Receiver Anonymity
- Alice can give Bob information that he can use to
send messages to Alice, while keeping her true
identity secret from Bob.
Bulletin Board alt.anonymous.messages
Anonymous ID Where are good Hang Gliding
spots? Send to alt.anonymous.messages
Bob
Alice
28Receiver Anonymity
- Anonymous Identity
- Information allowing a sender to send messages to
an anonymous receiver - May contain routing and encryption information
- Requirements
- Receiver is anonymous even to the sender
- Anonymous Identity can be used several times
- Communication is secret (encrypted)
- Messages are received efficiently
29A Common Method
Alice anonymously receives encrypted message from
both Bob and Charlie by reading a newsgroup.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
30Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they
are encrypting with the same public key and thus
are sending messages to the same person.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
31Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each
know about the Anonymous Receiver and are able to
compromise her anonymity.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding
spots? Send to alt.anonymous.messages Encrypt
with a45cd79e
Bob
Alice
Hang Gliding Biology gt Alice
Charlie
Anonymous ID 2 What Biology conferences are
interesting? Send to alt.anonymous.messages Encr
ypt with a45cd79e
32Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
Keys to Try 48b33c03 ae668f53
Charlie
207c5edb
33Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 48b33c03 43bca289 ae668f53
86cf1943 56734ba b9034d40 40b2f68c
075ca5ef 2fce8473
04d2a93c
Charlie
398bac49
207c5edb
e3c8f522
46cce276
70f4ba54
34Incomparable Public Keys
- Receiver generates a single secret key
- Receiver generates several Incomparable Public
Keys (one for each Anonymous Identity) - Receiver use the secret key to decrypt any
message encrypted with any of the public keys - Holders of Incomparable Public Keys cannot tell
if any two keys are related (correspond to the
same private key)
35Efficiency of Incomparable Public Keys
Alice creates a one secret key and distributes a
different Incomparable Public Key to each sender.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 48b33c03
04d2a93c
Charlie
398bac49
207c5edb
e3c8f522
46cce276
70f4ba54
36Construction of Incomparable Public Keys
- Based on ElGamal encryption
- All users share a global (strong) prime p
- Operations are performed in group of Quadratic
Residues of Zp - Secret Key Generation
- Choose an ElGamal secret key a
- Generate a new Incomparable Public Key
- Pick random generator, g, of the group
- Public key is (g,ga)
37Security Intuition
- Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) - Assuming Decisional Diffie-Hellman is hard
38Security Intuition
- Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) - Assuming Decisional Diffie-Hellman is hard
- However, this is not enough if the receiver might
respond to a message
39Security Intuition
- Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) - Assuming Decisional Diffie-Hellman is hard
- However, this is not enough if the receiver might
respond to a message
Bob
(g,ga)
Charlie
(h,ha)
40Security Intuition
- Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) - Assuming Decisional Diffie-Hellman is hard
- However, this is not enough if the receiver might
respond to a message
Bob
Pair-wise multiply
(g,ga)
Charlie
(h,ha)
41Security Intuition
- Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) - Assuming Decisional Diffie-Hellman is hard
- However, this is not enough if the receiver might
respond to a message
Bob
Pair-wise multiply
Alice can decrypt messages encrypted with this
new key.
(g,ga)
(gh,(gh)a)
Charlie
(h,ha)
42Models of Receivers
- Passive Receiver Model
- Receiver gathers and decrypts messages, but gives
no indication to sender about if decryption was
successful - Receiver cannot ask for retransmission if
expected message is not received - Might be realistic in a few cases
- Active Receiver Model
- Receiver decrypts messages and can interact with
the sender
43Solution to Active Receiver Model
- Record keys that were validly created
- The ciphertext will contain a proof about which
key was used for encryption - The private key holder can alternatively
distribute each Incomparable Public Keys with its
MAC
44Efficiency
- Efficiency is comparable to standard ElGamal
- One exponentiation for encryption
- Two exponentiations for decryption and
verification of a message
45Implementation
- Implemented Incomparable Public Keys by extending
GnuPG (PGP) 1.2.0 - Available at http//www.cs.princeton.edu/bwaters/
research/
46Related Work
- Bellare et al. (2001)
- Introduce notion of Key-Privacy
- If Key-Privacy is maintained an adversary cannot
match ciphertexts with the public keys used to
create them - The authors do not consider anonymity from
senders - Pfitzmann and Waidner (1986)
- Use of multicast address for receiver anonymity
- Discuss implicit vs. explicit marks
47Related Work (cont.)
- Chaum (1981)
- Mix-nets for sender anonymity
- Reply addresses usable only once
- Other work follows this line
48(No Transcript)
49Keyword Search on Asymmetrically Encrypted Data
- Work with Dirk Balfanz, Glenn Durfee, and Dianna
Smetters - NDSS 04
50A Conference Room
Example Keywords Alice Smith Faculty ZebraNet Faci
lities
record storage (untrusted)
51Desirable Characteristics
- Data Access Control
- Entries may be sensitive to individuals or log
owner - Searchability
- Search for log on specific criteria
- e.g keyword search
- Tension between two goals
52Requirements
- Data Access Control
- Entries must be encrypted on untrusted storage
- Forward security in case auditing device becomes
compromised ? asymmetric encryption - Limit scope of data released to that of the
search - Searchability
- Be able to efficiently retrieve entries based on
certain criteria - We focus on keyword search
53Delegating Search Capabilities
The investigator requests a capability to search
for all records that match keyword ZebraNet.
ZebraNet
1
capabilityfor search
mastersecret
Investigator
Escrow Agent
The investigator submits the capability to the
audit log and receives only entries that the
capability matches.
capabilityfor search
2
record
record
record
Investigator
records
54Search on Asymmetrically Encrypted Data
55Search on Asymmetrically Encrypted Data
Encrypted Data
Keywords must not be in the clear!
56Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
57Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
58Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
59Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
No information is learned
60Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
61Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Encrypted Data
62Search on Asymmetrically Encrypted Data
mastersecret
Escrow Agent
Embed decryption in search
Keywords ZebraNet Funding Alice Smith
Record
Encrypted Data
63Using IBE to Search on Asymmetrically Encrypted
Data
64Using IBE to Search on Asymmetrically Encrypted
Data
65Using IBE to Search on Asymmetrically Encrypted
Data
ZebraNet
FLAG K
66Using IBE to Search on Asymmetrically Encrypted
Data
Funding
FLAG K
ZebraNet
FLAG K
67Using IBE to Search on Asymmetrically Encrypted
Data
68Using IBE to Search on Asymmetrically Encrypted
Data
- FLAG used to test
- K to decrypt on match
69Using IBE to Search on Asymmetrically Encrypted
Data
- FLAG used to test
- K to decrypt on match
- Key-privacy property?keywords kept private
70Using IBE to Search on Asymmetrically Encrypted
Data
- FLAG used to test
- K to decrypt on match
- Key-privacy property?keywords kept private
- Pairing operation per keyword
71Using IBE to Search on Asymmetrically Encrypted
Data
72Using IBE to Search on Asymmetrically Encrypted
Data
- Attempt IBE decryption on each part
- Test for presence of FLAG
73Using IBE to Search on Asymmetrically Encrypted
Data
011010
- Attempt IBE decryption on each part
- Test for presence of FLAG
74Using IBE to Search on Asymmetrically Encrypted
Data
0011100
- Attempt IBE decryption on each part
- Test for presence of FLAG
75Using IBE to Search on Asymmetrically Encrypted
Data
FLAG K
- Attempt IBE decryption on each part
- Test for presence of FLAG
76Using IBE to Search on Asymmetrically Encrypted
Data
FLAG K
K
- Attempt IBE decryption on each part
- Test for presence of FLAG
- On match use K to decrypt document
77We want to type keywords
FLAG K
- Attempt IBE decryption on each part
- Test for presence of FLAG
- On match use K to decrypt document
- Pairing per keyword in document
78Performance
- Encryption
- One pairing per keyword in document
- One exponentiation per keyword
- Search/Decryption
- One pairing per keyword per document
79Optimizations
- Cache pairings of frequently used keywords
- eg. ê(ZebraNet,sP)
- Only need a pairing per new keyword on encryption
- In limit exponentiation per keyword is dominant
cost
80Optimizations
- Cache pairings of frequently used keywords
- eg. ê(ZebraNet,sP)
- Only need a pairing per new keyword on encryption
- In limit exponentiation per keyword is dominant
cost - Reuse randomness for IBE encryption within one
document - Okay since cannot use same public key per
document - In decryption only one pairing per document
- Save storage in log
81Related Work
- Searching on Encrypted Data
- Boneh, Crescenzo, Ostrovsky and Persiano (2003)
- Song, Wagner and Perrig (2000)
- Identity Based Encryption
- Boneh and Franklin (2001)
82Contributions
- Introduced notion of Fuzzy Identity Based
Encryption - Designed a Fuzzy IBE scheme based on bilinear
maps - Proof of security
- Developed novel method for anonymously receiving
messages - Introduced notion of Incomparable Public Keys
- Implementation in GnuPG
- Provably secure in both Random Oracle and
standard models
83Contributions
- Designed a scheme for keyword search on
asymmetrically encrypted data - Adapted BF IBE method
- Developed techniques for improving performance
84Future Work (Fuzzy IBE)
- Extends to set overlap metric
- Hash arbitrary strings into identities
- IDbrown-hair,Explorer
- More biometrics
- Access Control
- Dating?
3 out of 4
- Blond
- Grad Student
- Curly
- Beat Brent in bowling
85Future Work (Fuzzy IBE)
- Extends to set overlap metric
- Hash arbitrary strings into identities
- IDbrown-hair,Explorer
- More biometrics
- Access Control
- Dating?
3 out of 4
- Blond
- Grad Student
- Curly
- Beat Brent in bowling
86Thanks!
- Ed Felten
- Amit Sahai
- Committee
- Fellow Students
87(No Transcript)