Upload
debmalya-biswas
View
186
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Personalized services attract high-value customers. Knowing the preferences and habits of an individual customer, it is possible to offer to that customer well customized and adapted services, matching his needs and desires. This is advantageous for the entity offering the service (e.g., a retailer) as well, as it helps in creating additional sales or improve customer retention. The main unsolved problem today is that the profile of each individual customer would be necessary in order to create such services, posing severe risks regarding privacy and data protection. This paper proposes efficient encryption schemes that allow profiling to be outsourced while preserving privacy. The schemes ensure that the customer is always in control of his profile data, at the same time making shopping data across multiple retailers available to third party service providers to be able to provide targeted services.
Citation preview
SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS
Privacy-Preserving
Outsourced Profiling
Debmalya Biswas, Florian Kerschbaum
SAP Research, Karlsruhe, Germany
Stephan Haller
SAP Research, Zurich, Switzerland
© SAP 2007 / Page 2
Motivation
Personalized services attract high-value customers.
Knowing the preferences and habits of customers, it is possible to offer well customized and
adapted services.
This is advantageous for the entity offering the service (e.g., a retailer) as well, as it helps in
creating additional sales or improve customer retention.
© SAP 2007 / Page 3
Challenges
The accuracy of profiling depends on the amount of data available.
In an ideal scenario, the profile of each individual customer would be available to create such
personalized services.
However, the lack of trust prevalent in today’s world prevents customers from sharing their
shopping history with profilers due to
fear of privacy loss,
possibility of spamming,
data theft, etc.
Even retailers are unwilling to share their respective customer profiles with other retailers due
to competitive reasons.
© SAP 2007 / Page 4
Contributions
Efficient encryption schemes enabling profiling in a privacy preserving fashion
Customer always remains in control of his shopping data exposed to the profilers.
Possible to profile on data from multiple retailers.
Customer shopping data is recorded directly by the respective retailers.
No additonal overhead on the customers to enter their shopping data in the system.
Data can be stored at a 3rd party storage provider facility, i.e. outsourced.
Allows independent audits.
Prevents retailers from having to invest in their own infrastructure.
© SAP 2007 / Page 5
Problem Scenario
Retailers store customer shopping data at 3rd party storage facility.
Customers can verify their stored data, and also authorize keywords w.r.t which Profilers can search their
data.
The storage provider is not able to access any of the stored data.
Send
Targeted
Services
Customer (C)
Profiler (P)
Retailer (R)
Purchase Goods
Storage Provider (S)
Profilling
Store Shopping Data
Verify
Shopping Data
Integrity
© SAP 2007 / Page 6
Encryption Scheme 1: PERK
Combines two encryption schemes:
Proxy re-encryption: allows a ciphertext for A to be re-encrypted into a ciphertext for B (can be
decrypted using B’s private key).
Search over encrypted data: Public-key Encryption with Keyword Search (PEKS)
© SAP 2007 / Page 7
Encryption Scheme 1:
PERK
PERK consists of the following polynomial time randomized algorithms:
KGEN(1k) outputs a public-private key pair: (Apub,Apriv).
ENC(Apub,m) outputs cA1, the message m encrypted under public key Apub.
PRK(Apriv, Bpub) outputs a re-encryption key rkA→B that allows ciphertexts generated using A’s public
key to be decrypted by B’s private key.
RENC(rkA→B, cA1) outputs the ciphertext cB2 generated by re-encrypting cA1 under rkA→B.
DEC(Bpriv, cB2) decrypts cB2 using Bpriv, returning the message m.
SENC(Apub,W,m) outputs a searchable encryption sW of message m under keyword W and Apub.
DOOR(Apriv,W) outputs a trapdoor tW that allows to search by keyword W.
TEST(Apub, sW, tW′) outputs the message m if W = W′.
© SAP 2007 / Page 8
Application of PERK to perform Privacy
Preserving Profiling
Initial setup:
Retailer R and customer C run KGEN(1k) to
generate their respective public-private key pairs:
(Rpub,Rpriv) and (Cpub,Cpriv).
Customer C registers with storage provider S: C
sends to S his public key Cpub and contact details
Cv and CAd on which he would like to receive
verification and advertisement notifications. The
reference uC of the newly created record is
returned to C.
Customer C registers with retailer R: C sends the
pair <Cpub, uC> to R.
R generates the re-encryption key rkR→C =
PRK(Rpriv,Cpub) for C and stores it in the record
referenced by uC.
Customer (C)
Profiler (P)
Retailer (R)
Storage Provider (S)
© SAP 2007 / Page 9
Application of PERK to perform Privacy
Preserving Profiling, Contd ...
For each shopping transaction performed by C at R:
Store C’s shopping transaction data at the designated
storage space SD provided by S:
C presents a unique id rCi to R. rCi is the reference
of the pre-allocated storage for C at SD by S.
R encrypts the shopping transaction data dCi of C
under its public key Rpub generating the ciphertext
cR1 = ENC(Rpub, dCi).
R then stores the encrypted data cR1 in the record
referenced by rCi at SD.
Customer (C)
Profiler (P)
Retailer (R)
Purchase Goods
Storage Provider (S)
Store Shopping Data
© SAP 2007 / Page 10
Application of PERK to perform Privacy
Preserving Profiling, Contd ...
Verify the integrity of stored shopping transaction data
at SD:
S updates the record referenced by rCi, re-
encrypting cR1 under rkR→C, generating the
ciphertext cC2 = RENC(rkR→C, cR1).
S sends a notification to C via CV, notifying him
that new shopping data is now available for
verification at the data record referenced by rCi.
C accesses the ciphertext cC2 from SD by
reference rCi.
C then decrypts cC2 using his secret key Cpriv to
obtain dCi = DEC(Cpriv, cC2).
C is now in a position to verify the integrity of his
stored shopping transaction data dCi at SD.
Customer (C)
Profiler (P)
Retailer (R)
Storage Provider (S)
Verify Shopping
Data Integrity
© SAP 2007 / Page 11
Application of PERK to perform Privacy
Preserving Profiling, Contd ...
C generates searchable encryptions: For each chosen
keyword f,
C generates a corresponding searchable
encryption value sf = SENC(Cpub, f, dCi). C then
updates the shopping transaction record
referenced by rCi at SD, inserting the ciphertext sf.
C gets the list of authorized service providers P1, ·
· · , Pn with respect to keyword f from S.
C generates the trapdoor tf = DOOR(Cpriv, f), and
sends it to P1, · · · , Pn.
Send
Trapdoors
Customer (C)
Profiler (P)
Retailer (R)
Storage Provider (S)
Profilling
© SAP 2007 / Page 12
Application of PERK to perform Privacy
Preserving Profiling, Contd ...
Profiling:
For each authorized keyword f, Profiler P
compares his trapdoor values tf with the
searchable encryption values sf exposed by each
customer C. On successful match, P obtains the
shopping transaction data dCi = TEST(Cpub, sf, tf).
P uses the acquired shopping data of customers to
perform profiling.
P provides targeted services to customers,
notifying each customer C via CAd.
Send
Targeted
Services
Customer (C)
Profiler (P)
Retailer (R)
Storage Provider (S)
Profilling
© SAP 2007 / Page 13
Encryption Scheme 1: Security & Performance
Security:
The encryption scheme PERK = (KGEN, ENC, PRK, RENC, DEC, SENC,DOOR, TEST) is
semantically secure against a chosen plaintext attack in the random oracle model assuming CoDDH is
intractable.
Performance:
The trapdoors need to be generated only once per (authorized) Profiler, and not for each transaction.
If the set of keywords with respect to which C would like expose his shopping data to P remains
constant over time, then the trapdoors can also be generated as part of the initial setup.
© SAP 2007 / Page 14
Encryption Scheme 2:
PERKd
Alternate scheme where the retailers and profilers agree on a pre-defined
set of keywords for profiling.
Retailer R stores Customer C’s shopping data at storage facility S encrypted using its public
key Rpub, as well as generates searchable encryptions w.r.t the pre-defined keywords.
S re-encrypts it to a form that can be decrypted by C’s private key Cpriv.
C verifies his shopping data and can choose (delete, NOT add) keywords w.r.t which his data
is exposed by providing corresponding trapdoors to Profiler P.
P can check if a customer shopping record contains a specific keyword using the given
trapdoors.
© SAP 2007 / Page 15
Encryption Scheme 2:
PERKd Comparison with PERK
No random oracles needed.
The retailer R, and not the Customer C, is responsible for generating the searchable
encryptions w.r.t the pre-defined keywords.
As such, no SENC algorithm in PERKd.
The other main difference is with respect to the type of data that finally becomes available to
the profilers for profiling:
PERK outputs the whole shopping record on successful match.
PERKd only lets the profilers know if a shopping record of C contains a specific keyword.
© SAP 2007 / Page 16
Conclusion
We presented two encryption schemes to perform profiling in a privacy preserving
fashion.
In comparison to the state-of-the-art:
Profiling across multiple retailers, not limited to a single retailer.
Full privacy control over own profile by the customer. Profilers only get access to portions of
the shopping data that the customer explicitly gives them access to, and only in a
pseudonymised fashion.
From a security perspective, this is the first proposal to combine proxy re-encryption and
searchable encryption schemes
© SAP 2007 / Page 17
Thank you and Questions