Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
description
Transcript of Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
![Page 1: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/1.jpg)
Cryptographic Algorithms for Privacy in an Age
of Ubiquitous Recording
Brent R. WatersAdvisor: Ed Felten
July, 2004
![Page 2: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/2.jpg)
Brent Waters Cryptographic Protocols for Memex 2
Ubiquitous Recording Imagine a world everything is recorded
With increase in storage technology and other factors Ubiquitous Recording is becoming close to a reality
Privacy concerns become very significant
![Page 3: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/3.jpg)
Brent Waters Cryptographic Protocols for Memex 3
Privacy Problems How do we encrypt information for someone who
does not carry around any special devices?
How can someone receive messages anonymously?
How can we provide the functionality of keyword search while maintaining data confidentiality?
![Page 4: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/4.jpg)
Brent Waters Cryptographic Protocols for Memex 4
Contributions
Three Cryptographic Protocols
Fuzzy Identity Based Encryption• Encryption using biometrics
Receiver Anonymity via Incomparable Public Keys• CCS ’03
Keyword Search on Asymmetrically Encrypted Data• NDSS ‘04
![Page 5: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/5.jpg)
Fuzzy Identity Based Encryption
Current Research with Amit Sahai
![Page 6: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/6.jpg)
Brent Waters Cryptographic Protocols for Memex 6
A Medical Appointment
•Record visit, test results, etc.
•Encryption
•No portable device requirement (can’t carry RSA public key)
![Page 7: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/7.jpg)
Brent Waters Cryptographic Protocols for Memex 7
Use Identity Based Encryption (IBE)My key is“Aaron Smith”
Public Key is an identifier string (e.g.“[email protected]”)Use global public parametersMaster secret holder(s) can give out private keys to an individual that authenticates themselvesBoneh and Franklin ‘01
![Page 8: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/8.jpg)
Brent Waters Cryptographic Protocols for Memex 8
Problems with Standard IBE What should the identities be?
• Names are not unique• Don’t necessarily want to tie to SS#, Driver’s License…
First time users• Don’t have identities yet
Certifying oneself to authority can be troublesome• Need documentation, etc.
![Page 9: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/9.jpg)
Brent Waters Cryptographic Protocols for Memex 9
Biometric as an Identity
<0110010…00111010010>
Biometric stays with humanShould be unique (depends on quality of biometric)Have identity before registrationCertification is natural
![Page 10: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/10.jpg)
Brent Waters Cryptographic Protocols for Memex 10
Biometric as an Identity
<0110010…00111010010>
Biometric measure changes a little each time•Environment•Difference in Sensors•Small change in trait
Cannot use a biometric as an identity in current IBE schemes
<0110110…00111010110><0100010…00111010110>
![Page 11: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/11.jpg)
Brent Waters Cryptographic Protocols for Memex 11
Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d
M<0110010…00111010010>
<0100110…00111010110>
Private Key for IDEncrypted with ID’
![Page 12: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/12.jpg)
Brent Waters Cryptographic Protocols for Memex 12
Fuzzy Identity Based EncryptionA secret key for ID can decrypt a ciphertext encrypted with ID’ iff Hamming Distance(ID,ID’) d
<0110010…00111010010>
<0010110…00011110110>
Private Key for IDEncrypted with ID’
![Page 13: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/13.jpg)
Brent Waters Cryptographic Protocols for Memex 13
Designing a Fuzzy IBE Scheme
n bit identifiersd Hamming distance
Two techniques Shamir secret sharing using polynomials
Bilinear maps
![Page 14: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/14.jpg)
Brent Waters Cryptographic Protocols for Memex 14
Secret Sharing
x’
Pick random n-1 degree polynomial qSecret is q(x’)Need n points to interpolate to secret, if less learn nothing
![Page 15: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/15.jpg)
Brent Waters Cryptographic Protocols for Memex 15
Bilinear Maps
abba hggê
hggêê
hgp
,
,:
ofgenerator , ofgenerator order ,
211
21
21
![Page 16: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/16.jpg)
Brent Waters Cryptographic Protocols for Memex 16
Setup
1,0,1,20,21,10,1 ,,,,'
nn xxxxxxx
Distinct values in Zp
1,0,1,20,21,10,1 ,,,, nn tttttt gggggg
Random members of 1
2' yh
![Page 17: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/17.jpg)
Brent Waters Cryptographic Protocols for Memex 17
Key GenerationPick random n-(d+1) polynomial q(x) such that q(x’)=y’
ID=< 0 1 1 …0 > Points depend on the identity of private key
0,1
0,1 )(txq
g 1,2
1,2 )(txq
g 1,3
1,3 )(txq
g 0,
0, )(
n
n
txq
g
![Page 18: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/18.jpg)
Brent Waters Cryptographic Protocols for Memex 18
EncryptionPick random r and encrypt message M asC=Mhry’
ID’=< 0 1 0 …0 > Raise public points to r that match encryption key
0,1rtg 1,2rtg 0,3rtg 0,nrtg
![Page 19: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/19.jpg)
Brent Waters Cryptographic Protocols for Memex 19
DecryptionSuppose we have secret key for ID, ciphertext encrypted with ID’, and Hamming Distance(ID,ID’)
dApply bilinear map at n-d points where ID,ID’ agree ID= < 0 1 1 …0 >ID’=< 0 1 0 …
0 >
0,1rtg
0,1
0,1 )(txq
g1,2rtg
1,2
1,2 )(txq
g0,3rtg
1,3
1,3 )(txq
g0,nrtg
0,
0, )(
n
n
txq
g
)( 0,1xrqh )( 1,2xrqh )( 0,nxrqh
![Page 20: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/20.jpg)
Brent Waters Cryptographic Protocols for Memex 20
DecryptionHave n-d points of polynomial rq(x) (in exponent)Can interpolate to get hrq(x’)= hry’
Ciphertext is C=Mhry’
Divide out to get M
![Page 21: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/21.jpg)
Brent Waters Cryptographic Protocols for Memex 21
Security Proof for “Selective ID” model
• Attacker cannot attack ciphertext encrypted by any pre-specified ID
Reduce to distinguishing between tuples:(ga,gb,gc,hbc/a)(ga,gb,gc,hz)
![Page 22: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/22.jpg)
Brent Waters Cryptographic Protocols for Memex 22
Practicality? Expect ~ 50 bits in some biometrics
• E.g. voice sample
Approximately 80ms for bilinear map computationAround 4s for decryption
![Page 23: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/23.jpg)
Brent Waters Cryptographic Protocols for Memex 23
Related Work
Identity Based Encryption Boneh and Franklin (2001) Canetti, Halevi, and Katz (2003)
Encryption with Biometrics Monrose, Reiter, et al. (2002)
Fuzzy Schemes Davida, et al. (1998) Juels and Wattenberg (1999)
![Page 24: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/24.jpg)
![Page 25: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/25.jpg)
Receiver Anonymity via Incomparable Public Keys
Work with Ed Felten and Amit SahaiCCS ‘03
![Page 26: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/26.jpg)
Brent Waters Cryptographic Protocols for Memex 26
An Anonymous Encounter
•Communicate later
•Encryption
•Anonymity
![Page 27: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/27.jpg)
Brent Waters Cryptographic Protocols for Memex 27
Receiver Anonymity
Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob.
Bulletin Boardalt.anonymous.messages
Anonymous ID
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Bob
Alice
![Page 28: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/28.jpg)
Brent Waters Cryptographic Protocols for Memex 28
Receiver Anonymity Anonymous Identity
• Information allowing a sender to send messages to an anonymous receiver
• May contain routing and encryption information
Requirements• Receiver is anonymous even to the sender• Anonymous Identity can be used several times• Communication is secret (encrypted)• Messages are received efficiently
![Page 29: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/29.jpg)
Brent Waters Cryptographic Protocols for Memex 29
A Common Method
Bulletin Boardalt.anonymous.messages
Alice
Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
![Page 30: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/30.jpg)
Brent Waters Cryptographic Protocols for Memex 30
Encryption Key is Part of the Identity
Bulletin Boardalt.anonymous.messages
Alice
Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
![Page 31: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/31.jpg)
Brent Waters Cryptographic Protocols for Memex 31
Encryption Key is Part of the Identity
Bulletin Boardalt.anonymous.messages
Alice
Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
Hang Gliding + Biology => Alice
![Page 32: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/32.jpg)
Brent Waters Cryptographic Protocols for Memex 32
Independent Public Key per Sender
Bulletin Boardalt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
Charlie
Keys to Try
48b33c03
ae668f53
![Page 33: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/33.jpg)
Brent Waters Cryptographic Protocols for Memex 33
Independent Public Key per Sender
Bulletin Boardalt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
CharlieKeys to Try
48b33c03 43bca289
ae668f53 86cf1943
56734ba b9034d40
40b2f68c 075ca5ef
2fce8473
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
![Page 34: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/34.jpg)
Brent Waters Cryptographic Protocols for Memex 34
Incomparable Public Keys
Receiver generates a single secret key Receiver generates several Incomparable
Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any
message encrypted with any of the public keys Holders of Incomparable Public Keys cannot
tell if any two keys are related (correspond to the same private key)
![Page 35: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/35.jpg)
Brent Waters Cryptographic Protocols for Memex 35
Efficiency of Incomparable Public Keys
Alice
Alice creates a one secret key and distributes a different Incomparable Public Key to each sender.
Bulletin Boardalt.anonymous.messagesa45cd79e
207c5edb
Bob
CharlieKeys to Try
48b33c03
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
![Page 36: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/36.jpg)
Brent Waters Cryptographic Protocols for Memex 36
Construction of Incomparable Public Keys Based on ElGamal encryption
• All users share a global (strong) prime p• Operations are performed in group of Quadratic
Residues of Zp
Secret Key Generation: • Choose an ElGamal secret key a
Generate a new Incomparable Public Key:• Pick random generator, g, of the group• Public key is (g,ga)
*
![Page 37: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/37.jpg)
Brent Waters Cryptographic Protocols for Memex 37
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
![Page 38: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/38.jpg)
Brent Waters Cryptographic Protocols for Memex 38
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
![Page 39: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/39.jpg)
Brent Waters Cryptographic Protocols for Memex 39
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)• Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
![Page 40: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/40.jpg)
Brent Waters Cryptographic Protocols for Memex 40
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
Pair-wise multiply
![Page 41: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/41.jpg)
Brent Waters Cryptographic Protocols for Memex 41
Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb) • Assuming Decisional Diffie-Hellman is hard
However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha
)
(g,ga
)
Pair-wise multiply
(gh,(gh)a)
Alice can decrypt messages encrypted with this new key.
![Page 42: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/42.jpg)
Brent Waters Cryptographic Protocols for Memex 42
Models of Receivers Passive Receiver Model
• Receiver gathers and decrypts messages, but gives no indication to sender about if decryption was successful
• Receiver cannot ask for retransmission if expected message is not received
• Might be realistic in a few cases
Active Receiver Model• Receiver decrypts messages and can interact with the
sender
![Page 43: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/43.jpg)
Brent Waters Cryptographic Protocols for Memex 43
Solution to Active Receiver Model Record keys that were validly created
The ciphertext will contain a “proof” about which key was used for encryption
The private key holder can alternatively distribute each Incomparable Public Keys with its MAC
![Page 44: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/44.jpg)
Brent Waters Cryptographic Protocols for Memex 44
Efficiency Efficiency is comparable to standard ElGamal
One exponentiation for encryption
Two exponentiations for decryption and verification of a message
![Page 45: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/45.jpg)
Brent Waters Cryptographic Protocols for Memex 45
Implementation Implemented Incomparable Public Keys by
extending GnuPG (PGP) 1.2.0
Available at http://www.cs.princeton.edu/~bwaters/research/
![Page 46: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/46.jpg)
Brent Waters Cryptographic Protocols for Memex 46
Related Work Bellare et al. (2001)
• Introduce notion of Key-Privacy• If Key-Privacy is maintained an adversary cannot match
ciphertexts with the public keys used to create them• The authors do not consider anonymity from senders
Pfitzmann and Waidner (1986)• Use of multicast address for receiver anonymity• Discuss implicit vs. explicit “marks”
![Page 47: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/47.jpg)
Brent Waters Cryptographic Protocols for Memex 47
Related Work (cont.) Chaum (1981)
• Mix-nets for sender anonymity• Reply addresses usable only once• Other work follows this line
![Page 48: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/48.jpg)
![Page 49: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/49.jpg)
Keyword Search on Asymmetrically Encrypted Data
Work with Dirk Balfanz, Glenn Durfee, and Dianna Smetters
NDSS ‘04
![Page 50: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/50.jpg)
Brent Waters Cryptographic Protocols for Memex 50
A Conference Room
Example KeywordsAlice SmithFacultyZebraNetFacilities
record storage (untrusted)
![Page 51: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/51.jpg)
Brent Waters Cryptographic Protocols for Memex 51
Desirable Characteristics Data Access Control
• Entries may be sensitive to individuals or log owner
Searchability• Search for log on specific criteria• e.g keyword search
Tension between two goals
![Page 52: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/52.jpg)
Brent Waters Cryptographic Protocols for Memex 52
Requirements Data Access Control
• Entries must be encrypted on untrusted storage• Forward security in case auditing device becomes
compromised asymmetric encryption• Limit scope of data released to that of the search
Searchability• Be able to efficiently retrieve entries based on certain
criteria• We focus on keyword search
![Page 53: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/53.jpg)
Brent Waters Cryptographic Protocols for Memex 53
record
Delegating Search Capabilities
Investigator Escrow Agent
mastersecret
“ZebraNet”
capabilityfor search
Investigator records
capabilityfor search
record record …
1
2
The investigator submits the capability to the audit log and receives only entries that the capability matches.
The investigator requests a capability to search for all records that match keyword “ZebraNet”.
![Page 54: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/54.jpg)
Brent Waters Cryptographic Protocols for Memex 54
Search on Asymmetrically Encrypted Data
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 55: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/55.jpg)
Brent Waters Cryptographic Protocols for Memex 55
Search on Asymmetrically Encrypted Data
Encrypted Data
Keywords must not be in the clear!
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 56: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/56.jpg)
Brent Waters Cryptographic Protocols for Memex 56
Search on Asymmetrically Encrypted Data
Escrow Agent
mastersecret
Encrypted Data
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 57: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/57.jpg)
Brent Waters Cryptographic Protocols for Memex 57
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 58: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/58.jpg)
Brent Waters Cryptographic Protocols for Memex 58
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 59: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/59.jpg)
Brent Waters Cryptographic Protocols for Memex 59
Search on Asymmetrically Encrypted Data
PlanetLab
Search Capability
mastersecret
Encrypted Data
No information is learned
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 60: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/60.jpg)
Brent Waters Cryptographic Protocols for Memex 60
Search on Asymmetrically Encrypted Data
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 61: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/61.jpg)
Brent Waters Cryptographic Protocols for Memex 61
Search on Asymmetrically Encrypted Data
ZebraNet
Search Capability
mastersecret
Encrypted Data
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 62: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/62.jpg)
Brent Waters Cryptographic Protocols for Memex 62
Search on Asymmetrically Encrypted Data
ZebraNet
Search Capability
mastersecret
Encrypted Data
Embed decryption in search
Escrow Agent
Recording Device Keywords
ZebraNet
Funding
Alice Smith
Record
Keywords
ZebraNet
Funding
Alice Smith
Record
![Page 63: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/63.jpg)
Brent Waters Cryptographic Protocols for Memex 63
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
![Page 64: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/64.jpg)
Brent Waters Cryptographic Protocols for Memex 64
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
Using IBE to Search on Asymmetrically Encrypted Data
K
![Page 65: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/65.jpg)
Brent Waters Cryptographic Protocols for Memex 65
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
![Page 66: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/66.jpg)
Brent Waters Cryptographic Protocols for Memex 66
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
![Page 67: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/67.jpg)
Brent Waters Cryptographic Protocols for Memex 67
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
![Page 68: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/68.jpg)
Brent Waters Cryptographic Protocols for Memex 68
•FLAG used to test
K to decrypt on match
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 69: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/69.jpg)
Brent Waters Cryptographic Protocols for Memex 69
•FLAG used to test
K to decrypt on match
•Key-privacy propertykeywords kept private
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 70: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/70.jpg)
Brent Waters Cryptographic Protocols for Memex 70
•FLAG used to test
K to decrypt on match
•Key-privacy propertykeywords kept private
•“Pairing” operation per keyword
Using IBE to Search on Asymmetrically Encrypted Data
Keywords
ZebraNet
Funding
Alice Smith
Record Recording Device
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 71: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/71.jpg)
Brent Waters Cryptographic Protocols for Memex 71
ZebraNet
Search Capability
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 72: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/72.jpg)
Brent Waters Cryptographic Protocols for Memex 72
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 73: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/73.jpg)
Brent Waters Cryptographic Protocols for Memex 73
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
011010…
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 74: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/74.jpg)
Brent Waters Cryptographic Protocols for Memex 74
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
0011100…
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 75: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/75.jpg)
Brent Waters Cryptographic Protocols for Memex 75
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
FLAG | K
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 76: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/76.jpg)
Brent Waters Cryptographic Protocols for Memex 76
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
•On match use K to decrypt document
FLAG | K
Using IBE to Search on Asymmetrically Encrypted Data
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 77: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/77.jpg)
Brent Waters Cryptographic Protocols for Memex 77
ZebraNet
Search Capability
•Attempt IBE decryption on each part
Test for presence of FLAG
•On match use K to decrypt document
•Pairing per keyword in document
FLAG | K
We want to type keywords
K
FLAG | K“ZebraNet”
FLAG | K“Funding”
FLAG | K“Alice Smith”
![Page 78: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/78.jpg)
Brent Waters Cryptographic Protocols for Memex 78
Performance Encryption
• One pairing per keyword in document• One exponentiation per keyword
Search/Decryption• One pairing per keyword per document
![Page 79: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/79.jpg)
Brent Waters Cryptographic Protocols for Memex 79
Optimizations Cache pairings of frequently used keywords
• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost
![Page 80: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/80.jpg)
Brent Waters Cryptographic Protocols for Memex 80
Optimizations Cache pairings of frequently used keywords
• eg. ê(“ZebraNet”,sP)• Only need a pairing per new keyword on encryption• In limit exponentiation per keyword is dominant cost
Reuse randomness for IBE encryption within one document• Okay since cannot use same public key per document• In decryption only one pairing per document• Save storage in log
![Page 81: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/81.jpg)
Brent Waters Cryptographic Protocols for Memex 81
Related Work
Searching on Encrypted Data Boneh, Crescenzo, Ostrovsky and Persiano (2003) Song, Wagner and Perrig (2000)
Identity Based Encryption Boneh and Franklin (2001)
![Page 82: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/82.jpg)
Brent Waters Cryptographic Protocols for Memex 82
Contributions Introduced notion of Fuzzy Identity Based
Encryption• Designed a Fuzzy IBE scheme based on bilinear maps• Proof of security
Developed novel method for anonymously receiving messages• Introduced notion of Incomparable Public Keys• Implementation in GnuPG• Provably secure in both Random Oracle and standard
models
![Page 83: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/83.jpg)
Brent Waters Cryptographic Protocols for Memex 83
Contributions Designed a scheme for keyword search on
asymmetrically encrypted data• Adapted BF IBE method• Developed techniques for improving performance
![Page 84: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/84.jpg)
Brent Waters Cryptographic Protocols for Memex 84
Future Work (Fuzzy IBE) Extends to set overlap metric
• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…
More biometrics Access Control
Dating? •Blond•Grad Student•Curly•Beat Brent in bowling
3 out of 4
![Page 85: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/85.jpg)
Brent Waters Cryptographic Protocols for Memex 85
Future Work (Fuzzy IBE) Extends to set overlap metric
• Hash arbitrary strings into identities• ID=“brown-hair”,”Explorer”…
More biometrics Access Control
Dating? •Blond•Grad Student•Curly•Beat Brent in bowling
3 out of 4
![Page 86: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/86.jpg)
Brent Waters Cryptographic Protocols for Memex 86
Thanks! Ed Felten
Amit Sahai
Committee
Fellow Students
![Page 87: Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816828550346895dddb9ec/html5/thumbnails/87.jpg)