Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
▪
▪
▪
▪
▪
Cloud based Analytics
Off-shoring application testing
desensitizing local data
2
▪
▪
Name Post Code Date of Birth Balance IBAN
Alice Doe 64289 21.08.1978 52.650,77 CH56 0483 5084 1385 0100 0
Ks3tcetqu15t ahBd3jsdn o2eh2UAb 9SXbeA3aAjBN nyve4uB5Na3dhfWpak3ehFpk
3
▪
Name Post Code Date of Birth Balance IBAN
Alice Doe 64289 21.08.1978 52.650,77 CH56 0483 5084 1385 0100 0
?? 64*** 15.08.1978 53.012,62 ??
▪
▪
▪
▪
▪
4
▪
Name Post Code Date of Birth Balance IBAN
Alice Doe 64289 21.08.1978 52.650,77 CH56 0483 5084 1385 0100 0
?? 64*** 15.08.1978 53.012,62 ??
▪
▪
▪
▪
▪
5
▪
–
▪
–
–
6
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
▪
–
▪
–
– 𝐻 𝑢𝑖𝑑 → ℎ
– 𝐻 𝐵𝑜𝑏 = ℎ ? , 𝐻 𝐸𝑣𝑒 = ℎ ? ,…
– 𝐻 𝑘𝑒𝑦, 𝑢𝑖𝑑 → ℎ
7
UserID
Alice
Token
xH2ban6
UserID
Alice
Token
xH2ban6
▪
▪
▪
▪
–
–
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
9
▪
▪
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
UserID Credit
Alice € 125
Token Credit
JqNs58k € 125
10
▪
▪
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
UserID Credit
Alice € 125
Token Credit
JqNs58k € 125
11
▪
▪
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
UserID Credit
Alice € 125
Token Credit
JqNs58k € 125
12
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
13
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
Token Credit
JqNs58k € 8.000
4GLu8W € 23.500
Token Credit
JqNs58k € 599
Token Credit
JqNs58k € 125
UserID Credit
Alice € 125
14
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
Token Credit
JqNs58k € 8.000
4GLu8W € 23.500
Token Credit
JqNs58k € 599
Token Credit
JqNs58k € 125
UserID Credit
Alice € 125
𝑡𝑜𝑘 = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦
𝛥 =𝑘𝑒𝑦′
𝑘𝑒𝑦
𝑡𝑜𝑘′ = 𝑡𝑜𝑘𝛥 = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦′
𝑡𝑜𝑘′ = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦′
15
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Credit
Alice € 599
Token Credit
xH2ban6 € 599
Token Credit
JqNs58k € 8.000
4GLu8W € 23.500
Token Credit
JqNs58k € 599
Token Credit
JqNs58k € 125
UserID Credit
Alice € 125
𝑡𝑜𝑘 = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦
𝛥 =𝑘𝑒𝑦′
𝑘𝑒𝑦
𝑡𝑜𝑘′ = 𝑡𝑜𝑘𝛥 = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦′
𝑡𝑜𝑘′ = 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦′
16
17
▪
▪
18
▪
UserID Credit
Alice € 8.000
Bob € 23.500
Token Credit
xH2ban6 € 8.000
P3b0Ws € 23.500
UserID Vehicle Data
Alice 100.33.92
Token Vehicle Data
xH2ban6 100.33.92
UserID Browsing Profile
Alice 17:38 – URL
Token Browsing Profile
xH2ban6 17:38 – URL
▪
UserID
Alice
Token
xH2ban6
▪
▪
▪
▪
▪
▪
19
▪
R Blind(uid) R‘ Token(key, R) tok Unblind(R’)
R R‘
▪
▪
▪
▪
▪
20
▪
R Blind(uid) R‘ Token(key, R) tok Unblind(R’)
R R‘
▪
▪
▪
▪
▪
𝑅 = 𝐻 𝑢𝑖𝑑 𝑁
for random nonce N𝑅′ = 𝑅𝑘𝑒𝑦
𝑡𝑜𝑘 = 𝑅′1𝑁
= 𝐻 𝑢𝑖𝑑 𝑘𝑒𝑦
21
▪
▪
▪
▪
▪
–
–
▪
–
–
23
Token Work
xH2ban6 IBM Research
Token Travel
xH2ban6 Zurich – Ispra , 04/09/17
Token Education
xH2ban6 PhD Cryptography
24
UserID Date of Birth Gender City
Alice 22.06.1971 female Ispra, IT
Bob 08.11.1988 male Zurich, CH
NYM City
e9SsB Ispra, IT
NYM Gender
3UBzp female
NYM Date of Birth
QN5Ru 22.06.1971
NYM City
e9SsB Ispra, IT
98BCA Zurich, CH
NYM Date of Birth
QN5Ru 22.06.1971
8xHMg 08.11.1988
NYM Gender
Yj6gF male
3UBzp female
25
Lin
ka
ge
Ob
fus
ca
tio
n
NYM Gender City
3T3gq female ****, IT
kOLc6 male ****, CH
NYM Date of Birth City
GDA12 **.**.1988 Zurich, CH
0tU5r **.**.1971 Ispra, IT
NYM City
e9SsB Ispra, IT
98BCA Zurich, CH
NYM Date of Birth
QN5Ru 22.06.1971
8xHMg 08.11.1988
NYM Gender
Yj6gF male
3UBzp female
▪
▪
▪
–
–
27
ID Data
Bob.0411
Carol.2503
Dave.1906
ID Data
Alice.1210
Bob.0411
Carol.2503
HospitalDoctor A
HealthInsurance
Doctor BDoctor A
Laboratory
Hospital
▪
▪
–
–
–
Record ofBob.0411?
28
ID Data
ML3m5
sD7Ab
y2B4m
Record of P89dyfrom Hospital?
Record ofML3m5 ?
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Main ID Doctor A Hospital
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Converter
▪
▪
29
ID Data
ML3m5
sD7Ab
y2B4m
Record of P89dyfrom Hospital?
Record ofML3m5 ?
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Main ID Doctor A Hospital
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Converter
Unique ID
Bob.0411
Doctor A → Hospital. 02/26/2017…
User Portal for Bob.0411
▪
▪
30
ID Data
ML3m5
sD7Ab
y2B4m
Record of P89dyfrom Hospital?
Record ofML3m5 ?
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Main ID Doctor A Hospital
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Converter
Unique ID
Bob.0411
Doctor A → Hospital. 02/26/2017…
User Portal for Bob.0411
▪
▪
31
ID Data
ML3m5
sD7Ab
y2B4m
Record of P89dyfrom Hospital?
Record ofML3m5 ?
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Main ID Doctor A Hospital
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Converter
Unique ID
Bob.0411
Doctor A → Hospital. 02/26/2017…
User Portal for Bob.0411
▪
▪
32
ID Data
ML3m5
sD7Ab
y2B4m
Record of P89dyfrom Hospital?
Record ofML3m5 ?
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Main ID Doctor A Hospital
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Converter
Unique ID
Bob.0411
Doctor A → Hospital. 02/26/2017…
User Portal for Bob.0411
▪
▪
▪
33
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
Unique ID
Bob.0411
P89dy
ML3m5
▪
Core Idea
X blindly computes
nymi,A ← PRF(key,uidi )xA
▪
34
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
Record ofP89dy
at Hospital
Record ofP89dy
at Hospital
Record ofP89dy
at Hospital
blind conversion request
Record ofML3m5 ?
Record ofP89dy ?
Record ofP89dy ?
blind conversion
unblinding conversion response
Core Idea
X blindly computes
nymi,B ← nymi,AxB / xA
▪
▪
35
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
Record ofP89dy
at Hospital
Record ofP89dy
at Hospital
Record ofP89dy
at Hospital
blind conversion request
Record ofML3m5 ?
Record ofP89dy ?
Record ofP89dy ?
blind conversion
unblinding conversion response
Unique ID
Bob.0411
Audit Bulletin Board
Doctor A → Hospital. 02/26/2017
C ← Enc(upk’’, info)
Core Idea
encryption scheme with randomizable public keys
upk‘ ← RAND(upk)
upk‘
upk‘‘
▪
36
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
Unique ID
Bob.0411
P89dy
ML3m5
▪
37
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
ID Data
6Wz6P
fX4o7
RtE14
Insurance
$
$
$
Invoice for
RtE14
Invoice for
ML3m5
Invoice for
P89dy
▪
38
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
ID Data
6Wz6P
fX4o7
RtE14
Insurance
$
$
$
Invoice for
RtE14
Invoice for
ML3m5
Invoice for
P89dy
▪
▪
–
▪
▪
→ paradigm shift: unlinkability per default, linkability only when necessary
39
Thanks! Questions?
BACKUP SLIDES
41
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Doctor A
Hospital
Converter
Unique ID
Bob.0411
P89dy
ML3m5
Audit Bulletin Board
?
▪ servers and users can be fully corrupt
▪ converter at most honest-but-curious
▪
▪
43
Converter X [4] SA decrypts pseudonymnymi,A ← Dec(skA,C’nym)
k, for each server: xA, xB, xC, …
Server A
uidi
zi[2] Ui encrypts zi for SA
Cnym ← Enc(pkA,zi)
nymi,A
[3] X blindly computes nymi,A
C’nym ← CnymxA
Cnym
C’nym
[1] X and Ui jointly computezi ← OPRF(k,uidi)
Core IdeaGeneration: X blindly computes nymi,A ← PRF(k,uidi )xA
pkA ,skA
44
Converter X
Server A
[2] X blindly transforms encrypted pseudonymC' ← C Δ with Δ = xB / xA
C‘ = Enc(pkB, nymi,A) xB / xA
C ' = Enc(pkB, PRF(k,uidi) xA) xB / xA
C‘ ' = Enc(pkB, PRF(k,uidi) xB)
C‘ ‘ = Enc(pkB, nymi,B)
[1] SA encrypts nymi,A under SB's keyC ← Enc(pkB, nymi,A)
k, for each server: xA, xB, xC, …
Server B
C, SB, qid
C', SA, qid
[3] SB decrypts converted pseudonymnymi,B ← Dec(skB , C')
pkA ,skA
pkB ,skB
nymi,A
nymi,B
Core IdeaGeneration: X blindly computes nymi,A ← PRF(k,uidi )xA
Conversion: X blindly computes nymi,B ← nymi,AxB / xA
45
Converter X
Server A
Server B
ConvRequest
ConvResponse
Converter X Server ANymResponse
NymRequest
nymi,A
nymi,B
nymi,A
Generation
Conversion
Core Idea
X blindly computes
nymi,B ← nymi,AxB / xA
Core Idea
X blindly computes
nymi,A ← PRF(k,uidi )xA
46
Converter X
Server A
Server B
ConvRequest, upk’’
ConvResponse, upk’’’
Converter X Server ANymResponse, upk’
NymRequest, upk’
nymi,A, upk’
usk, upk upk is randomizable encryption keyupk‘ ← RAND(upk)
nymi,A, upk’
nymi,B, upk’’’C* ← Enc(upk’’, info)
decrypt all audit ciphertexts:info ← Dec(usk,C*) ?
C*…
Audit Bulletin Board
Generation
Conversion
47
Converter X
Server A
Server B
ConvRequest, upk’’, TA
ConvResponse, upk’’’
Converter X Server ANymResponse, upk’, CT
NymRequest, upk’, CT
nymi,A, upk’, TA
usk, upk, {TA}
nymi,A, upk’, TA
TA, C*…
Audit Bulletin Board
decrypt ciphertext for TA:info ← Dec(usk,C*)
CT ← Enc(pkA, TA) … for random TA
TA ← Dec(skA, CT)
C* ← Enc(upk’’, info)nymi,B, upk’’’
Generation
Conversion
48
Converter X
Server A
Server B
ConvRequest, upk’’, TA, C*TA
ConvResponse, upk’’’
Converter X Server A
Generation
Conversion
NymResponse, upk’, CT
NymRequest, upk’, CT
nymi,A, upk’, TA
usk, upk, {TA, T’A,…}
nymi,A, upk’, TA
TA, C*
Audit Bulletin Board
CT ← Enc(pkA, TA) … for random TA
TA ← Dec(skA, CT)
Tag Chain: C* ← Enc(upk’’, info)
get new audit tags for TA :T’A ← Dec(usk, C*TA)
TA, C*TA
C*TA ← Enc(upk’’, T’A) … for random T’A
T’A
decrypt ciphertext for TA:info ← Dec(usk,C*)
nymi,B, upk’’’
C*TB
49
Converter X
Server A
Server B
ConvResponse, upk’’’
Converter X Server A
Generation
Conversion
NymResponse, upk’, CT
NymRequest, upk’, CT
nymi,A, upk’, TA
usk, upk, {TA, T’A, TB …}
nymi,A, upk’, TA
nymi,B, upk’’’, TB
TA, C*
Audit Bulletin Board
decrypt ciphertext for TA:info ← Dec(usk,C*)
CT ← Enc(pkA, TA) … for random TA
TA ← Dec(skA, CT)
Tag Chain: C* ← Enc(upk’’, info)
get new audit tags for TA :T’A ← Dec(usk, C*TA) TB ← Dec(usk, C*TB)
TA, C*TA
TA, C*TB C*TB ← Enc(upk’’’, TB) … for random TB
ConvRequest, upk’’, TA, C*TA
C*TA ← Enc(upk’’, T’A) … for random T’A
T’A
C*TB
50
Converter X
Server A
Server B
ConvRequest, upk’’, TA, C*TA, πA
ConvResponse, upk’’’
Converter X Server A
Generation
Conversion
NymResponse, upk’, CTnymi,A, upk’, TA
usk, upk, {TA, T’A, TB …}
nymi,A, upk’, TA
nymi,B, upk’’’, TB
TA, C*
Audit Bulletin Board
CT ← Enc(pkA, TA) … for random TA
TA ← Dec(skA, CT)
Tag Chain: C* ← Enc(upk’’, info)
get new audit tags for TA :T’A ← Dec(usk, C*TA) TB ← Dec(usk, C*TB)
TA, C*TA
TA, C*TB
C*TA ← Enc(upk’’, T’A) … for random T’A
C*TB ← Enc(upk’’’, TB) … for random TB
T’A
decrypt ciphertext for TA:info ← Dec(usk,C*)
NymRequest, upk’, CT
Signature scheme for homomorphic encodings
▪
–
–
–
–
–
–
▪
▪
51
▪ concrete instantiation ~50ms computational time per party for conversion