Title: PrivacyPreserving Transaction Escrow
1Privacy-Preserving Transaction Escrow
Stas Jarecki Pat Lincoln Vitaly Shmatikov
UC Irvine SRI International
2Data Collection is a Threat to Privacy
- Financial transaction records
- Detection of fraud and money laundering
- Medical research databases
- Research queries
- Computer network monitoring
- Intrusion detection
- Law enforcement
- Airline passenger databases
- (CAPPS II, JetBlue debacle, etc.)
- Research question
- Can we enable (some) data monitoring
- while protecting (some) data privacy?
3Approaches To Privacy Protection
- Access control
- Only trusted parties may initiate queries
- Disallow intruder from asking questions
- Protected execution environments
- Required trusted computing platform
- Limit extraction of data
- Introduce random variations
- Encrypted databases
- Rely on cryptographic techniques
- Even raw data do not leak information
DB
DB
?
QO_at_
4Access Control
DB
- Only allow trusted people to initiate queries
- In some medical databases, only 1 trusted
individual is authorized to perform queries - Reviews suggested queries and their results for
privacy implications - Maintains per-user and global history of queries
and responses - How to separate good and bad queries
- in an untrusted computing environment?
- Government agency insiders can search internal
- databases at whim
- IRS employees can snoop on their neighbors
returns - Purpose of a query may be hard to determine
- Visa knows all your credit card transactions
- HMO knows your entire medical history
Aldrich Ames
5Protected Execution
DB
- Restrict queries
- Use digital rights management or data labeling
- Randomize individual values preserving global
statistical properties - Suppress and generalize for k-anonymity
- none of these help against the attacker who
- has access to the underlying database
- This requires trusted computing platform
- How to specify and enforce data access policies?
6Our Goal Protect Data After Collection
Collected data
Data collection agency
1 0 1 0 0 0 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 0 1
1 0 1 1 0 0
Data query attempt
Allowed queries are easy
Disallowed queries are infeasible
X
- Research questions
- What query patterns can be efficiently supported?
- How private can the inaccessible data remain?
7Related Problems
Collected data
Data collection agency
1 0 1 0 0 0 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 0 1
1 0 1 1 0 0
Data query attempt
Allowed queries are easy
Disallowed queries are infeasible
X
- stronger than privacy-preserving data mining
- We want to have provable data privacy
- harder than search on encrypted data
- In our threat model, data creators are not
trusted to input correct data - E.g., money launderers will try to avoid
detection
8Basic Problem Efficient Subpoena
- By default, all data should remain inaccessible
to the agency - Data values are secret
- Data creators are anonymous
- When some data creator U is subpoenaed, all his
data should be revealed to the agency - Agency needs to escrow everyones data
- Once U is subpoenaed, agency must be able to
efficiently identify all escrows related to U and
efficiently open them - Everyone elses data should remain inaccessible
9Problems with Public-Key Escrow
- Public-key escrow schemes provide
- either privacy, or efficiency, but not both
- Escrows are ciphertexts only EPKU,m
- Full privacy
- Very inefficient subpoena
- If the decryption key is threshold-shared between
several trustees, escrow agency must test each
ciphertext by threshold decryption!! - Escrows tagged by creators identity U, EPKm
- Subpoena is efficient
- Privacy is compromised
- Escrow agency learns who makes transactions,
when, how often, whether transactions of U and U
are correlated, etc.
10Our Transaction Escrow Scheme
- Transactions are escrowed in a way that makes
- information available only for controlled use
- Efficient subpoena procedures (unlike public-key
escrow) - Assured privacy and anonymity for personal data
- Investigative pattern matching escrows are
opened automatically when they match some pattern
(and only then!) - No trusted parties
- Secure against malicious escrow agent
- Corrupt transaction participants cannot break
privacy and - anonymity of transactions between honest
parties - Provable security
- Reduction to Decisional Diffie-Hellman in Random
Oracle Model
11Verifiable Transaction Escrow
User
transaction (e.g., money transfer to Caymans)
Transaction counterparty (e.g., bank)
12Escrows Must be Tagged
- Subpoena John Does wire transfers to Caymans
- user U type of
transaction - Nondeterministic tags tagFPK() (U, type)
- There might be an efficient procedure which
identifies tags corresponding to a given (U,
type) category - This takes at best 1 crypto op per each escrow
- Inefficient for large data sets (10 million
escrows 1 day on PC) - Deterministic tags tagF(U, type)
- Identification of subpoenaed escrows takes O(1)
crypto ops regardless of the size of the database!
13Deterministic Tags Require Private Keys
- Efficient subpoena requires deterministic tagging
- Public-key deterministic tagging functions are
vulnerable to guessing attacks - If escrow is tagged with TagFpk(U, type) where F
is a publicly computable deterministic function,
then - privacy is still compromised
- since agency can identify Us escrows by
re-computing Fpk(U,type) - Need a private tagging function instead
- Only the creator can compute the tag, using his
private key - The tagging function needs to be verifiable so
that the creator can prove that he has computed
the tag correctly
14Good Enough Privacy
- New notion category-preserving privacy
- From two escrows eEscrowu, m, type
- eEscrowu, m,
type - agency learns only whether (u, type) (u,
type) - u is creators identity, m is transaction
description, - type is classification, e.g., this is money
transfer to Caymans - Agency does not learn what these categories are
- The agency can tell that two transactions were
performed by the same person, but cannot tell who
that person is - The agency can tell that two escrows describe
transactions of the same type, but cannot
determine what that type is
?
15Category-Preserving Privacy
- From two escrows e and e data collection agency
- learns only whether category(e) category(e)
- Weaker than perfect agency learns that
correlated categories exist (but not what they
are) - If all escrows have the same category, then only
one user is active - If two categories always arrive together, they
are synchronized - Good enough for massive data collection
- With high transaction rates, correlations will be
hard to find - Knowledge that some correlated categories exist
seems harmless
16Automatic Selective Revelation
- Useful capability automatic selective revelation
- Reveal all transactions of any person who made
more than - t5 wire transfers to the Caymans in the last
month - Escrows that do not match the condition must
remain private - With nondeterministic tags, this is infeasible
- O(Dt) crypto ops (at least 1 crypto op per each
subset of size t) - With deterministic tags, this is easy
- Agency only needs to look at escrows with the
same tag
17Efficiency and Good Enough Privacy
Escrow agency
User
Tagged escrow
transaction (e.g., money transfer to Caymans)
Data access
Tagged escrow
Efficient subpoena automatic revelation
Escrowed data
Transaction counterparty (e.g., bank)
18Cryptographic Toolkit
Escrow agency
User
Tagged escrow
? Anonymous tag ? Encrypted transaction ? Private
signature
Verifiable anonymous encryption
Verifiable random function
Anonymous and private signature, verifiable by
interaction with the signer
transaction (e.g., money transfer to Caymans)
Tagged escrow
Escrowed data
Transaction counterparty (e.g., bank)
19Security Properties
- Subjects of monitoring cannot cheat
- Subpoena and revelation of correct escrows cannot
be avoided - Malicious insiders of escrow agency are powerless
- Category-preserving privacy protects data from
agency insiders - Cannot frame individuals by inserting bogus
records - Malicious transaction counterparties cannot help
- the malicious escrow agency
- Escrow submission and receipt verification
protocols are unlinkable
20Naive Verifiability Violates Privacy
Tagged escrow (e)
User
Escrow agency
? Anonymous tag (t) ? Transaction ciphertext
(c) ? Private signature (s)
transaction (e.g., money transfer to Caymans)
Tagged escrow
Escrowed data
Counterparty
21Verifiability with Unlinkable Signatures
Tagged escrow (e)
User
Escrow agency
? Anonymous tag (t) ? Transaction ciphertext
(c) ? Private signature (s)
transaction (e.g., money transfer to Caymans)
Tagged escrow
Unlinkable signatures Camenisch Lysyanskaya
give us a signature scheme with ZK proof of
signature possession
Escrowed data
Counterparty
22Automatic Selective Revelation
Escrow database
Correctness verified ?
User
23Summary And Open Questions
- Broader class of patterns for selective
revelation - Dynamically evolving patterns
- Patterns not specific to an individual user
- Cumulative revelation criteria
- Reveal cumulative transactions once their total
value reaches a threshold (e.g., all transactions
whose sum exceeds 10,000) - Relaxing PKI assumptions
- Is transaction escrow without users private keys
possible? - Other notions of privacy
- Support for other data collection functionalities