fast privacy preserving punch cards why go digital
play

Fast Privacy-Preserving Punch Cards Why go digital? Customer - PowerPoint PPT Presentation

Mar 29, 2024 •272 likes •754 views

Fast Privacy-Preserving Punch Cards Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit

  1. Fast Privacy-Preserving Punch Cards

  6. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  7. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  8. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  9. Why go digital? Why NOT go digital? Customer convenience Digital loyalty programs can be data-stealing monsters* No lost cards Better bookkeeping Hard to Counterfeit Contactless

  10. Can we get the benefits of digital loyalty programs Why go digital? Why NOT go digital? without sacrificing privacy? Customer convenience Digital loyalty programs can be data-stealing monsters* No lost cards Better bookkeeping Hard to Counterfeit Contactless

  11. Existing Approaches Anonymous credentials, eCash, uCentive - Give customers an unlinkable token for each purchase - Customer redeems by presenting a bunch of tokens - Work scales linearly in the number of hole punches

  12. Existing Approaches Recent line of work: BBA [JR16] , BBA+ [HHNR17] , UACS [BBDE19] , Bobolz et al. [BEKS20] - “Black-box accumulation”/“Updatable anonymous credentials” - Punch card storage and performance independent of number of punches - Support for broader functionalities - e.g., Offline double spending, negative points, partial redemption - Performance could be improved -- reliance on pairings, involved proofs - Mismatch between scheme and punch card deployment scenario

  13. Our Work Focus on real requirements for punch cards: - No long-term user identity tied to a public key - No server work to issue cards (avoids DoS) - Minimizes round complexity

  14. Our Work Focus on real requirements for punch cards: - No long-term user identity tied to a public key - No server work to issue cards (avoids DoS) - Minimizes round complexity Improves performance: - Removes reliance on pairings - 14x faster card punch, 25x less communication - 394x faster card redemption, 62x less communication

  15. Punch Card Functionality Server setup: initialize server secrets, database of redeemed cards Card issuance: issue a fresh punch card Card punch: add a punch to an existing punch card Card redemption/validation: submit a completed punch card for a reward

  16. Punch Card Security Privacy: Server can’t link any issuances, punches, or redemptions to each other Server can simulate everything it sees when issuing/punching/redeeming a card. Soundness: Client can’t redeem more punches than it has received Challenger allows adversary to punch and redeem cards. Adversary wins if more punches redeemed than given.

  17. First Attempt Idea: server raises group element to secret power for each punch

  18. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q

  19. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1

  20. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1 Redeem Verify sk^n Accept iff 1. p n = p 0 p 0 ,p n 2. p 0 not redeemed before

  21. First Attempt Client Server Neither private Issue Setup nor sound! p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1 Redeem Verify sk^n Accept iff 1. p n = p 0 p 0 ,p n 2. p 0 not redeemed before

  22. Adding Privacy Idea: client masks punch card before sending to server

  23. Adding Privacy Idea: client masks punch card before sending to server Client Server Punch Punch m ← R Z q m p i ’ ← p i p i ’ p’ i+1 ← (p’ i ) sk p’ i+1 p i+1 ← (p’ i+1 ) m^-1

  24. Adding Privacy Idea: client masks punch card before sending to server Client Server Punch Punch m ← R Z q m p i ’ ← p i p i ’ p’ i+1 ← (p’ i ) sk p’ i+1 Only semihonest security! p i+1 ← (p’ i+1 ) m^-1

  25. Malicious Privacy Malicious attack: server raises one punch card to a different power

  26. Malicious Privacy Malicious attack: server raises one punch card to a different power Defense: Server provides proof that it raised card to the same power each time

  27. Malicious Privacy Malicious attack: server raises one punch card to a different power Defense: Server provides proof that it raised card to the same power each time Modify server setup to include pk = g sk Use Chaum-Pedersen Proof: Given g, pk, p , prove knowledge of sk s.t. pk=g sk , p’=p sk

  28. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before

  29. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2.

  30. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1

  31. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1 4. Malicious client sends p 1 , p n+1 Server checks p n+1 = (p 1 ) sk^(n+1) , p 1 not redeemed before, redeems n points 5.

  32. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1 4. Malicious client sends p 1 , p n+1 Server checks p n+1 = (p 1 ) sk^(n+1) , p 1 not redeemed before, redeems n points 5. Client gets n+1 punches, redeems 2n points, breaks soundness

  33. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server

  34. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server Issue Setup id ← R {0,1} ƛ sk ← R Z q pk ← R g sk p 0 ← H(id)

  35. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server Issue Setup id ← R {0,1} ƛ sk ← R Z q pk ← R g sk p 0 ← H(id) ... ... Verify Redeem id,p n Accept iff 1. p n = H(id) sk^n 2. id not redeemed before

  36. Proving Soundness Proof in Algebraic Group Model (most prior work proven in more restrictive GGM) Adversaries in the AGM must accompany each group element they send with a representation of that group element in terms of previously seen elements In this model, DDH-style assumptions are equivalent to discrete log

  37. Proving Soundness Proof in Algebraic Group Model (most prior work proven in more restrictive GGM) Adversaries in the AGM must accompany each group element they send with a representation of that group element in terms of previously seen elements In this model, DDH-style assumptions are equivalent to discrete log Proof relies on hardness of d -discrete log assumption: given g, g x , g x^2 , g x^d , find x .

  38. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1.

  39. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x

  40. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary)

  41. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary) 4. To punch a card, look at algebraic representation of punch card and replace each X i with X i+1 .

  42. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary) 4. To punch a card, look at algebraic representation of punch card and replace each X i with X i+1 . 5. Soundness adversary who wins the soundness game produces a punch card r , which gives the challenger 2 whose representation does not include X n representations of X n . It can use this to break discrete log.

  43. Implementation Java (Android) wrapper around Rust implementation Main construction implemented using curve25519-dalek Evaluated on Pixel 1 (client) and recent Thinkpad laptop with i5 processor (server)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide Web Growing Privacy Concerns Rakesh Agrawal Ramakrishnan Srikant A Surveys of web users IBM Almaden Research Center 17%

369 views • 8 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Introduction Graphics cards can render a lot, and fast But never as much or as fast as

Introduction Graphics cards can render a lot, and fast But never as much or as fast as

10/3/2012 Introduction Graphics cards can render a lot, and fast But never as much or as fast as wed like! Updating the game world can involve a lot of Scene Management objects Consider Dragonfly doing collision detection

375 views • 3 slides
BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith Suresh CrIS Lab, IISc https://www.csa.iisc.ac.in/~cris Outline q Secure Multi-party Computation (MPC) q MPC for small number of parties (3PC) q Our

2.46k views • 53 slides
AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and

AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and

AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and Security, JKU Linz IKT Sicherheitskonferenz 2017 26. September 2017, Villach Digital Identity: State of the Art OpenID: some (large) providers,

1.17k views • 18 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh Dinh, Ee-Chien Chang, Beng Chin Ooi School of Computing National University of Singapore PETS 2017 Privacy-Preserving Computation with Trusted

477 views • 34 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes Ben-Gurion University, Israel This talk presents joint work with Boris Rozenberg Talk Outline Motivation for Privacy-Preserving Distributed Data

1.48k views • 68 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My experience with biometrics and privacy Academic background on privacy Gradiants goal: transfer of knowledge to industry We bring state of

193 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph Geumlek,* Max Welling, + Kamalika Chaudhuri* + University of Amsterdam *University of California, San Diego Overview Bayesian Privacy-preserving

878 views • 75 slides
Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch

Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch

Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch (University of Innsbruck) Andreas Salzburger (CERN) Emmerich Kneringer (University of Innsbruck) September 9, 2010 Elmar Ritsch (Innsbruck) Fast

305 views • 17 slides
The PUNCH Portal to Internet Computing: Run Any Software Anywhere via WWW Browsers Nirav H.

The PUNCH Portal to Internet Computing: Run Any Software Anywhere via WWW Browsers Nirav H.

The PUNCH Portal to Internet Computing: Run Any Software Anywhere via WWW Browsers Nirav H. Kapadia Jos e A. B. Fortes Mark S. Lundstrom School of Electrical and Computer Engineering Purdue University I. Introduction to PUNCH II. System

950 views • 47 slides
1 A B

1 A B

1 A B C 2 A B

610 views • 20 slides
Lake Park Elementary School Student Advisory Council SAC October 23, 2019 6:00 pm Lake Park

Lake Park Elementary School Student Advisory Council SAC October 23, 2019 6:00 pm Lake Park

Lake Park Elementary School Student Advisory Council SAC October 23, 2019 6:00 pm Lake Park Elementary School Media Center Principal's Message Mrs. Fleming Principals Report: State of the School as of 10.23.19 A+ Money / School

447 views • 23 slides
Func%ons Func%ons are groups of statements to which you

Func%ons Func%ons are groups of statements to which you

Func%ons Func%ons are groups of statements to which you give a name. Defining a func%on uses the " def " keyword. That group of

626 views • 27 slides
The Australian Magician s Dream The Magic of Search Algorithms Paul Curzon Queen Mary,

The Australian Magician s Dream The Magic of Search Algorithms Paul Curzon Queen Mary,

The Australian Magician s Dream The Magic of Search Algorithms Paul Curzon Queen Mary, University of London With support from Google, D of E and the Mayor of London On with the magic Please keep the secrets Im going to teach

466 views • 13 slides
Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 .

Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 .

Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 . Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, and been doing kernel-related development for a long time.

1.07k views • 43 slides
Rockem Reality Rockem Reality | Punch Detection Method Hand Acceleration Measurement

Rockem Reality Rockem Reality | Punch Detection Method Hand Acceleration Measurement

Purple A Mockup Review Rockem Reality Rockem Reality | Punch Detection Method Hand Acceleration Measurement Rockem Reality | Robot Punching Emulation Rockem Reality | Mockup Product: User Input Accelerometer Gloves Rockem Reality |

568 views • 18 slides
61A Lecture 20 Friday, October 12 What Are Programs? 2 What Are Programs? Once upon a time,

61A Lecture 20 Friday, October 12 What Are Programs? 2 What Are Programs? Once upon a time,

61A Lecture 20 Friday, October 12 What Are Programs? 2 What Are Programs? Once upon a time, people wrote programs on blackboards 2 What Are Programs? Once upon a time, people wrote programs on blackboards Every once in a while, they would

1.19k views • 87 slides

More recommend