Universally Composable and Privacy-Preserving Audit Logs Using - - PowerPoint PPT Presentation
Universally Composable and Privacy-Preserving Audit Logs Using Bulletin Board Anna Kaplan, Zcash Foundation & Technical University of Munich Joint work with Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya (all at DFINITY) Work was
Joint work with Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya (all at DFINITY)
Work was conducted while all were at IBM Research Zurich.
1
https://pixabay.com/images/search/accounting/
2
3
da data id identif ifie ier and da data de details 01.04. 52€ from André 02.04.
… KAPLAN 0419
4
User i User j da data id identif ifie ier and da data de details 01.04. 52€ from André 02.04.
… KAPLAN 0419
5
User i User j da data id identif ifie ier and da data de details 01.04. 52€ from André 02.04.
… KAPLAN 0419
Ti Time Us User 1 Us User 2 Us User 3 2/17/2018 13:06:11 data identifier data record session identifier … … … … … …
6
7
PR PROVING A PR PROTOCOL SECURE (Canetti ‘01)
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Environment E
Protocol π
Simula- tor S
8
PR PROVING A PR PROTOCOL SECURE (Canetti ‘01)
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Environment E
Protocol π
Simula- tor S
Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable
9
PR PROVING A PR PROTOCOL SECURE (Canetti ‘01)
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Environment E
Protocol π
Simula- tor S
Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable Let π and F be ppt protocols. We show that for any ppt adversary A there exists a ppt adversary S s.t. for any ppt environment E we have: EX EXEC ECF,S,E
,E ≈ EXECπ,A,E ,E
Protocol πϕ/F’
10
CO COMPOSI SITI TION (Ca Canetti ‘01)
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Simula- tor S
Environment E
F‘ F‘ ~ ϕ F‘‘ F‘‘‘
Protocol πϕ/F’…
11
GE GENE NERALIZED AND ND EXTEND NDED UC (Canetti et al. ‘07) 7)
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Simula- tor S
Environment E
F‘ F‘ ~ ϕ F‘‘‘ F‘ ‘
Global functio- nality G
12
Record integrity
13
Transaction privacy Auditor authorization Transaction timestamping Auditing correctness Transaction authentication Transaction uniqueness
14
Record integrity Transaction privacy Auditor authorization Transaction timestamping Auditing correctness Transaction authentication Transaction uniqueness
15
16
re record id id, , da data id id, , da data ski, pki skj, pkj two cryptographic hash functions: H and Ĥ blockchain timestamp
17
re record id id, , da data id id, , da data ski, pki skj, pkj two cryptographic hash functions: H and Ĥ RE RECORD ORD ta tag = H(data id)ski da data ta tag = Ĥ(data║Ĥ(data id)ski) r e c
d i d , t a t a g g , , d a d a t t a a t a t a g g blockchain timestamp
18
re record id id, , da data id id, , da data ski, pki skj, pkj two cryptographic hash functions: H and Ĥ RE RECORD ORD ta tag = H(data id)ski da data ta tag = Ĥ(data║Ĥ(data id)ski) r e c
d i d , t a t a g g , , d a d a t t a a t a t a g g blockchain timestamp AU AUDIT tag = H(data id)ski u = Ĥ(data id) ski π = NIZK{(ski): tag = H(data id)ski Λ u = Ĥ(data id)ski Λ pki = gski} tag, u, π, data timestamp, record id, ta tag, da data ta tag ta tag, da data ta tag? data tag‘ = Ĥ(data║u) On Only one entry for tag? Is Is t the co corresponding da data ta tag‘ correct? t? Is Is t the c corresponding t timestamp c correct?
19
re record id id, , da data id id, , da data ski, pki skj, pkj two cryptographic hash functions: H and Ĥ RE RECORD ORD ta tag = H(data id)ski da data ta tag = Ĥ(data║Ĥ(data id)ski) r e c
d i d , t a t a g g , , d a d a t t a a t a t a g g blockchain timestamp AU AUDIT tag = H(data id)ski u = Ĥ(data id) ski π = NIZK{(ski): tag = H(data id)ski Λ u = Ĥ(data id)ski Λ pki = gski} tag, u, π, data timestamp, record id, ta tag, da data ta tag ta tag, da data ta tag? data tag‘ = Ĥ(data║u) On Only one entry for tag? Is Is t the co corresponding da data ta tag‘ correct? t? Is Is t the c corresponding t timestamp c correct? Fro1 Fca Fcrs Fro2 Fsmt GrefClock Fbb
20
GrefClock Fca Fbb Fcrs Fro2 Fro1 Fsmt
21
22
Protocol πϕ/F’…
Adver- sary A
Real world Environment E Ideal world
Functiona- lity F
Simula- tor S
Environment E
F‘ F‘ ~ ϕ G F‘‘
G
23
Protocol
Adver- sary A
Real world Environment E F G F Ideal world Simulator S Environment E Ideal world Func- tionality F Simu lator S Environment E G Ideal world Func- tionality F S Environment E
Game 4 Game 3 Game 2 Game 1
24
Protocol πaudit EUC-realizes ideal functionality Flaudit with static corruptions and a leakage function l: {0,1}* → {0,1}* in the (GrefClock, Fdcrs, Fca, Flsmt, Fbb)-hybrid model, provided that NIZK is a zero- knowledge and simulation-sound proof of knowledge, and that the DL-assumption holds in G.
25
26
As a feature for Identity Mixer in Hyperledger Fabric on ClientSDK in Java with the use of Apache Milagro Crypto Library (AMCL) Instantiating NIZKs: Schnorr’s protocol with Fiat-Shamir heuristic on elliptic curve BN256 (Schnorr ‘91, Fiat and Shamir ‘86, Barreto and Naehrig ‘05)
Te Test on 2 core Intel machine with i5-7200U 7200U 2. 2.5G 5GHz CPU and 8G 8GB RAM ti time in milliseconds Full Identity mixer benchmark test on signing and auditing 229.6 Identity mixer benchmark test on signing 35.5 Identity mixer benchmark test on auditing 10.4
for AMCL: https://github.com/miracl/amcl
27
Switching to global strict observable programmable random oracle? (Camenisch et al. ’18) Construction without random oracle? Different implementation with Rust, different blockchain or different NIZK? Extending security model with a request by auditor?
Barreto, Paulo SLM, and Michael Naehrig. "Pairing-friendly elliptic curves of prime order." International Workshop on Selected Areas in
Camenisch, Jan, et al. "The Wonderful World of Global Random Oracles." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Cham, 2018. Canetti, Ran. "Universally composable security: A new paradigm for cryptographic protocols." Foundations of Computer Science, 2001.
Canetti, Ran, et al. "Universally composable security with global setup." Theory of Cryptography Conference. Springer, Berlin, Heidelberg, 2007. Fiat, Amos, and Adi Shamir. "How to prove yourself: Practical solutions to identification and signature problems." Advances in Cryptology—CRYPTO’86. Springer, Berlin, Heidelberg, 1986. Apache Milagro Crypto Library: https://github.com/miracl/amcl Schnorr, Claus-Peter. "Efficient signature generation by smart cards." Journal of cryptology 4.3 (1991): 161-174.
28
29
30
Anna Kaplan (anna.kaplan@tum.de) Zcash Foundation & Technical University of Munich
30