PrivacyPreserving Transaction Escrow

1
Privacy-Preserving Transaction Escrow
Stas Jarecki Pat Lincoln Vitaly Shmatikov
UC Irvine SRI International
2
Data Collection is a Threat to Privacy

• Financial transaction records
• Detection of fraud and money laundering
• Medical research databases
• Research queries
• Computer network monitoring
• Intrusion detection
• Law enforcement
• Airline passenger databases
• (CAPPS II, JetBlue debacle, etc.)
• Research question
• Can we enable (some) data monitoring
• while protecting (some) data privacy?

3
Approaches To Privacy Protection

• Access control
• Only trusted parties may initiate queries
• Disallow intruder from asking questions
• Protected execution environments
• Required trusted computing platform
• Limit extraction of data
• Introduce random variations
• Encrypted databases
• Rely on cryptographic techniques
• Even raw data do not leak information

DB
DB
?
QO_at_
4
Access Control
DB

• Only allow trusted people to initiate queries
• In some medical databases, only 1 trusted
  individual is authorized to perform queries
• Reviews suggested queries and their results for
  privacy implications
• Maintains per-user and global history of queries
  and responses
• How to separate good and bad queries
• in an untrusted computing environment?
• Government agency insiders can search internal
• databases at whim
• IRS employees can snoop on their neighbors
  returns
• Purpose of a query may be hard to determine
• Visa knows all your credit card transactions
• HMO knows your entire medical history

Aldrich Ames
5
Protected Execution
DB

• Restrict queries
• Use digital rights management or data labeling
• Randomize individual values preserving global
  statistical properties
• Suppress and generalize for k-anonymity
• none of these help against the attacker who
• has access to the underlying database
• This requires trusted computing platform
• How to specify and enforce data access policies?

6
Our Goal Protect Data After Collection
Collected data
Data collection agency
1 0 1 0 0 0 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 0 1
1 0 1 1 0 0
Data query attempt
Allowed queries are easy
Disallowed queries are infeasible
X

• Research questions
• What query patterns can be efficiently supported?
• How private can the inaccessible data remain?

7
Related Problems
Collected data
Data collection agency
1 0 1 0 0 0 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 0 1
1 0 1 1 0 0
Data query attempt
Allowed queries are easy
Disallowed queries are infeasible
X

• stronger than privacy-preserving data mining
• We want to have provable data privacy
• harder than search on encrypted data
• In our threat model, data creators are not
  trusted to input correct data
• E.g., money launderers will try to avoid
  detection

8
Basic Problem Efficient Subpoena

• By default, all data should remain inaccessible
  to the agency
• Data values are secret
• Data creators are anonymous
• When some data creator U is subpoenaed, all his
  data should be revealed to the agency
• Agency needs to escrow everyones data
• Once U is subpoenaed, agency must be able to
  efficiently identify all escrows related to U and
  efficiently open them
• Everyone elses data should remain inaccessible

9
Problems with Public-Key Escrow

• Public-key escrow schemes provide
• either privacy, or efficiency, but not both
• Escrows are ciphertexts only EPKU,m
• Full privacy
• Very inefficient subpoena
• If the decryption key is threshold-shared between
  several trustees, escrow agency must test each
  ciphertext by threshold decryption!!
• Escrows tagged by creators identity U, EPKm
• Subpoena is efficient
• Privacy is compromised
• Escrow agency learns who makes transactions,
  when, how often, whether transactions of U and U
  are correlated, etc.

10
Our Transaction Escrow Scheme

• Transactions are escrowed in a way that makes
• information available only for controlled use
• Efficient subpoena procedures (unlike public-key
  escrow)
• Assured privacy and anonymity for personal data
• Investigative pattern matching escrows are
  opened automatically when they match some pattern
  (and only then!)
• No trusted parties
• Secure against malicious escrow agent
• Corrupt transaction participants cannot break
  privacy and
• anonymity of transactions between honest
  parties
• Provable security
• Reduction to Decisional Diffie-Hellman in Random
  Oracle Model

11
Verifiable Transaction Escrow
User
transaction (e.g., money transfer to Caymans)
Transaction counterparty (e.g., bank)
12
Escrows Must be Tagged

• Subpoena John Does wire transfers to Caymans
• user U type of
  transaction
• Nondeterministic tags tagFPK() (U, type)
• There might be an efficient procedure which
  identifies tags corresponding to a given (U,
  type) category
• This takes at best 1 crypto op per each escrow
• Inefficient for large data sets (10 million
  escrows 1 day on PC)
• Deterministic tags tagF(U, type)
• Identification of subpoenaed escrows takes O(1)
  crypto ops regardless of the size of the database!

13
Deterministic Tags Require Private Keys

• Efficient subpoena requires deterministic tagging
• Public-key deterministic tagging functions are
  vulnerable to guessing attacks
• If escrow is tagged with TagFpk(U, type) where F
  is a publicly computable deterministic function,
  then
• privacy is still compromised
• since agency can identify Us escrows by
  re-computing Fpk(U,type)
• Need a private tagging function instead
• Only the creator can compute the tag, using his
  private key
• The tagging function needs to be verifiable so
  that the creator can prove that he has computed
  the tag correctly

14
Good Enough Privacy

• New notion category-preserving privacy
• From two escrows eEscrowu, m, type
• eEscrowu, m,
  type
• agency learns only whether (u, type) (u,
  type)
• u is creators identity, m is transaction
  description,
• type is classification, e.g., this is money
  transfer to Caymans
• Agency does not learn what these categories are
• The agency can tell that two transactions were
  performed by the same person, but cannot tell who
  that person is
• The agency can tell that two escrows describe
  transactions of the same type, but cannot
  determine what that type is

?
15
Category-Preserving Privacy

• From two escrows e and e data collection agency
• learns only whether category(e) category(e)
• Weaker than perfect agency learns that
  correlated categories exist (but not what they
  are)
• If all escrows have the same category, then only
  one user is active
• If two categories always arrive together, they
  are synchronized
• Good enough for massive data collection
• With high transaction rates, correlations will be
  hard to find
• Knowledge that some correlated categories exist
  seems harmless

16
Automatic Selective Revelation

• Useful capability automatic selective revelation
• Reveal all transactions of any person who made
  more than
• t5 wire transfers to the Caymans in the last
  month
• Escrows that do not match the condition must
  remain private
• With nondeterministic tags, this is infeasible
• O(Dt) crypto ops (at least 1 crypto op per each
  subset of size t)
• With deterministic tags, this is easy
• Agency only needs to look at escrows with the
  same tag

17
Efficiency and Good Enough Privacy
Escrow agency
User
Tagged escrow
transaction (e.g., money transfer to Caymans)
Data access
Tagged escrow
Efficient subpoena automatic revelation
Escrowed data
Transaction counterparty (e.g., bank)
18
Cryptographic Toolkit
Escrow agency
User
Tagged escrow
? Anonymous tag ? Encrypted transaction ? Private
signature
Verifiable anonymous encryption
Verifiable random function
Anonymous and private signature, verifiable by
interaction with the signer
transaction (e.g., money transfer to Caymans)
Tagged escrow
Escrowed data
Transaction counterparty (e.g., bank)
19
Security Properties

• Subjects of monitoring cannot cheat
• Subpoena and revelation of correct escrows cannot
  be avoided
• Malicious insiders of escrow agency are powerless
• Category-preserving privacy protects data from
  agency insiders
• Cannot frame individuals by inserting bogus
  records
• Malicious transaction counterparties cannot help
• the malicious escrow agency
• Escrow submission and receipt verification
  protocols are unlinkable

20
Naive Verifiability Violates Privacy
Tagged escrow (e)
User
Escrow agency
? Anonymous tag (t) ? Transaction ciphertext
(c) ? Private signature (s)
transaction (e.g., money transfer to Caymans)
Tagged escrow
Escrowed data
Counterparty
21
Verifiability with Unlinkable Signatures
Tagged escrow (e)
User
Escrow agency
? Anonymous tag (t) ? Transaction ciphertext
(c) ? Private signature (s)
transaction (e.g., money transfer to Caymans)
Tagged escrow
Unlinkable signatures Camenisch Lysyanskaya
give us a signature scheme with ZK proof of
signature possession
Escrowed data
Counterparty
22
Automatic Selective Revelation
Escrow database
Correctness verified ?
User
23
Summary And Open Questions

• Broader class of patterns for selective
  revelation
• Dynamically evolving patterns
• Patterns not specific to an individual user
• Cumulative revelation criteria
• Reveal cumulative transactions once their total
  value reaches a threshold (e.g., all transactions
  whose sum exceeds 10,000)
• Relaxing PKI assumptions
• Is transaction escrow without users private keys
  possible?
• Other notions of privacy
• Support for other data collection functionalities