universally composable and privacy preserving audit logs
play

Universally Composable and Privacy-Preserving Audit Logs Using - PowerPoint PPT Presentation

Dec 24, 2023 •565 likes •884 views

Universally Composable and Privacy-Preserving Audit Logs Using Bulletin Board Anna Kaplan, Zcash Foundation & Technical University of Munich Joint work with Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya (all at DFINITY) Work was

  1. Universally Composable and Privacy-Preserving Audit Logs Using Bulletin Board Anna Kaplan, Zcash Foundation & Technical University of Munich Joint work with Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya (all at DFINITY) Work was conducted while all were at IBM Research Zurich. 1

  2. 2 https://pixabay.com/images/search/accounting/

  3. da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 3

  4. User i User j da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 4

  5. User i User j da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 Time Ti User 1 Us Us User 2 Us User 3 2/17/2018 data data record session … … 13:06:11 identifier identifier … … … … 5

  6. Ho How to construct such ch a protocol in a go good manner? Modular cryptographic design, e.g. Universal Composability framework by Canetti '01 6

  7. Theor Th eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world 7

  8. Th Theor eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E ~ Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable 8

  9. Theor Th eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E ~ Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable Let π and F be ppt protocols. We show that for any ppt adversary A there exists a ppt adversary S s.t. for any ppt environment E we have: EX EXEC EC F , S ,E ,E ≈ EXEC π , A ,E ,E 9

  10. Th Theor eoretic backgrou ound: Univer ersal Com ompos osability CO COMPOSI SITI TION (Ca Canetti ‘01) Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’ Simula- Adver- tor S sary A F‘‘ F‘‘‘ F‘ Ideal world Real world F‘ ~ … ϕ 10

  11. Th Theor eoretic backgrou ound: Univer ersal Com ompos osability GENE GE NERALIZED AND ND EXTEND NDED UC (Canetti et al. ‘07) 7) Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’… Simula- Adver- tor S sary A F‘ F‘ F‘‘‘ ‘ Ideal world Real world F‘ ~ Global … ϕ functio- nality G 11

  12. Defining security 12

  13. Wh What security properties should our system follow? Transaction Record integrity privacy Transaction Auditor authentication authorization Transaction Auditing timestamping correctness Transaction uniqueness 13

  14. Ho How is this related to the security properties? Transaction privacy Transaction authentication Transaction timestamping Transaction uniqueness Record integrity Auditor authorization Auditing correctness 14

  15. Providing a protocol 15

  16. Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ timestamp sk i , pk i sk j , pk j blockchain U i U j re record id id, , da data id id, , da data 16

  17. Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ timestamp , , g g a a t t , sk i , pk i d sk j , pk j blockchain i d r o c U i g g e U j a a r t t a a t t a a d d record id re id, , da data id id, , da data ta tag = H(data id) ski RE RECORD ORD data ta da tag = Ĥ (data ║ Ĥ(data id) ski ) 17

  18. Bu Building a scheme – ve very simplified! two cryptographic hash functions: H and Ĥ timestamp , , g g ta tag, da a a t t , data ta sk i , pk i d sk j , pk j blockchain i timestamp, record id, d r tag? o c U i g g e ta tag, da U j a a r t t a a t t data ta a a d d re record id id, , da data id id, , da data tag tag = H(data id) ski ta RE RECORD ORD da data ta tag = Ĥ (data ║ Ĥ(data id) ski ) AUDIT AU tag = H(data id) ski data tag‘ = Ĥ (data ║ u) u = Ĥ(data id) ski tag, u, π, data Only one entry for tag? On π = NIZK{(ski): tag = H(data id) ski Λ u = Is Is t the co corresponding da data ta tag‘ correct? t? Is Is t the c corresponding t timestamp c correct? Ĥ(data id) ski Λ pk i = g ski } 18

  19. Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ F ro1 F ro2 F crs F bb timestamp F ca , , g g ta tag, da a a t t , data ta sk i , pk i d sk j , pk j blockchain i timestamp, record id, d r tag? o c U i g g e ta tag, da U j a a r t t a a t t data ta a a d d re record id id, , da data id id, , da data tag tag = H(data id) ski ta RECORD RE ORD data ta da tag = Ĥ (data ║ Ĥ(data id) ski ) AUDIT AU tag = H(data id) ski data tag‘ = Ĥ (data ║ u) u = Ĥ(data id) ski tag, u, π, data On Only one entry for tag? π = NIZK{(ski): tag = H(data id) ski Λ u = Is t Is the co corresponding da data ta tag‘ correct? t? F smt Is Is t the c corresponding t timestamp c correct? Ĥ(data id) ski Λ pk i = g ski } G refClock 19

  20. Bu Building a scheme mo more forma mally F ro2 F ro1 F ca F crs F smt F bb G refClock 20

  21. How to prove that ideal and real world are indistinguishable 21

  22. Proving security Pr Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’… Simula- Adver- tor S sary A F‘‘ F‘ G G Ideal world Real world F‘ ~ … ϕ 22

  23. Pr Proving security Environment E Environment E Game 1 Game 2 Protocol Simulator S Adver- sary A F F G Real world Ideal world Environment E Environment E Game 3 Game 4 Func- Func- tionality F S tionality F Simu lator S G Ideal world Ideal world 23

  24. Ou Our result Protocol π audit EUC-realizes ideal functionality F laudit with static corruptions and a leakage function l: {0,1}* → {0,1}* in the (G refClock , F dcrs , F ca , F lsmt , F bb )-hybrid model, provided that NIZK is a zero- knowledge and simulation-sound proof of knowledge, and that the DL-assumption holds in G. 24

  25. Implementation and further research 25

  26. Im Implementation As a feature for Identity Mixer in Hyperledger Fabric on ClientSDK in Java with the use of Apache Milagro Crypto Library (AMCL) Instantiating NIZKs: Schnorr’s protocol with Fiat-Shamir heuristic on elliptic curve BN256 (Schnorr ‘91, Fiat and Shamir ‘86, Barreto and Naehrig ‘05) Te Test on 2 core Intel machine with i5-7200U 7200U 2.5G 2. 5GHz CPU and 8G 8GB RAM ti time in milliseconds Full Identity mixer benchmark test on signing and auditing 229.6 Identity mixer benchmark test on signing 35.5 Identity mixer benchmark test on auditing 10.4 for AMCL: https://github.com/miracl/amcl 26

  27. Co Conclusion and further problems Switching to global strict observable programmable random oracle? (Camenisch et al. ’18) Construction without random oracle? Different implementation with Rust, different blockchain or different NIZK? Extending security model with a request by auditor? 27

  28. References Barreto, Paulo SLM, and Michael Naehrig. "Pairing-friendly elliptic curves of prime order." International Workshop on Selected Areas in Cryptography . Springer, Berlin, Heidelberg, 2005. Camenisch, Jan, et al. "The Wonderful World of Global Random Oracles." Annual International Conference on the Theory and Applications of Cryptographic Techniques . Springer, Cham, 2018. Canetti, Ran. "Universally composable security: A new paradigm for cryptographic protocols." Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on . IEEE, 2001. Canetti, Ran, et al. "Universally composable security with global setup." Theory of Cryptography Conference . Springer, Berlin, Heidelberg, 2007. Fiat, Amos, and Adi Shamir. "How to prove yourself: Practical solutions to identification and signature problems." Advances in Cryptology—CRYPTO’86 . Springer, Berlin, Heidelberg, 1986. Apache Milagro Crypto Library: https://github.com/miracl/amcl Schnorr, Claus-Peter. "Efficient signature generation by smart cards." Journal of cryptology 4.3 (1991): 161-174. 28

  29. Motivation: Auditing and universal composability Defining security Providing a protocol How to prove – a sketch Implementation and further research 29

  30. Thank you very much and come talk to me, here or @Zcon1! Anna Kaplan (anna.kaplan@tum.de) Zcash Foundation & Technical University of Munich 30 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Universally Composable Framework for the Privacy of Email Ecosystems Pyrros Chaidos 1 , Olga

A Universally Composable Framework for the Privacy of Email Ecosystems Pyrros Chaidos 1 , Olga

A Universally Composable Framework for the Privacy of Email Ecosystems Pyrros Chaidos 1 , Olga Fourtounelli 1 , Aggelos Kiayas 2 , Thomas Zacharias 2 1 : National & Kapodistrian University of Athens 2 : University of Edinburgh This project

557 views • 28 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove. ASIACRYPT 2018 J. P. Degabriele M. Fischlin 1 What this talk is about We propose and explore new security definitions for symmetric encryption

819 views • 24 slides
Privacy-preserving Mechanisms for Correlated Data Kamalika Chaudhuri University of California,

Privacy-preserving Mechanisms for Correlated Data Kamalika Chaudhuri University of California,

Privacy-preserving Mechanisms for Correlated Data Kamalika Chaudhuri University of California, San Diego Joint work with Shuang Song and Yizhen Wang Sensitive Data Medical Records Search Logs Social Networks Talk Agenda: How do we analyze

1.1k views • 58 slides
Challenges in Privacy-Preserving Analysis of Structured Data Kamalika Chaudhuri Computer Science

Challenges in Privacy-Preserving Analysis of Structured Data Kamalika Chaudhuri Computer Science

Challenges in Privacy-Preserving Analysis of Structured Data Kamalika Chaudhuri Computer Science and Engineering University of California, San Diego Sensitive Structured Data Medical Records Search Logs Social Networks This Talk: Two Case

1.06k views • 73 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo e H ebant Ecole Normale Sup erieure February 22, 2018 Chlo e H ebant (ENS) Working Group: SUC Security February 22, 2018 1 / 18

898 views • 42 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh Dinh, Ee-Chien Chang, Beng Chin Ooi School of Computing National University of Singapore PETS 2017 Privacy-Preserving Computation with Trusted

477 views • 34 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes Ben-Gurion University, Israel This talk presents joint work with Boris Rozenberg Talk Outline Motivation for Privacy-Preserving Distributed Data

1.48k views • 68 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My experience with biometrics and privacy Academic background on privacy Gradiants goal: transfer of knowledge to industry We bring state of

193 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph Geumlek,* Max Welling, + Kamalika Chaudhuri* + University of Amsterdam *University of California, San Diego Overview Bayesian Privacy-preserving

878 views • 75 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Lab 1 Bulletin Board System Andreas Larsson 2011-01-21 Schedule The Ensemble system

Lab 1 Bulletin Board System Andreas Larsson 2011-01-21 Schedule The Ensemble system

Lab 1 Bulletin Board System Andreas Larsson 2011-01-21 Schedule The Ensemble system Introduction Architecture and Protocols How does Ensemble achieve the group communication properties ? The Bulletin Board System Lab 1

385 views • 14 slides
The impact of blended learning pedagogy on students perception and performance in undergraduate

The impact of blended learning pedagogy on students perception and performance in undergraduate

The impact of blended learning pedagogy on students perception and performance in undergraduate biology Dr. Julia Yajuan Zhu & Dr. Bina Rai Challenges in Teaching Biology Lack of motivation to study Bio Wrong perception about Bio

670 views • 33 slides
Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 4 Pendulum motion Damped SHM Oct

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 4 Pendulum motion Damped SHM Oct

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 4 Pendulum motion Damped SHM Oct 4, 2011 R. J. Wilkes Email: ph116@u.washington.edu Announcements Homework set 1 due Thursday by 5 pm Suggestion: Check the New York

309 views • 13 slides
Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava

Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava

Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava (IIT Bhilai) (IIT Gandhinagar) Latincrypt 2019 Santiago, Chile October 3, 2019 Outline Multiparty Computation (MPC) Security

613 views • 22 slides
Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver

Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver

Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver Spycher Bern University of Applied Sciences, Switzerland http://e-voting.bfh.ch EVT/WOTE11, San Francisco August 9th, 2011 1 Outline

550 views • 23 slides
Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg

Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg

Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg EVT/WOTE San P Y A Ryan 1 Francisco 2011 Outline End-to-end verifiable voting. Outline of Prt Voter (polling station).

780 views • 28 slides
Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi Puiggali VP Research & Development Jordi.Puiggali@scytl.com Index Auditability in e-voting Types of verifiability Verifiability methods

719 views • 27 slides

More recommend