1 / 33

Private Resource Pairing

Private Resource Pairing. Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005. Motivating Scenario. Emergency Room Incapacitated unidentified tourist arrives at ER Perfect biometric exists Treatment is history-dependent. Private Resource Pairing.

paiva
Download Presentation

Private Resource Pairing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005

  2. Motivating Scenario • Emergency Room • Incapacitated unidentified tourist arrives at ER • Perfect biometric exists • Treatment is history-dependent

  3. Private Resource Pairing • Resource Possession – Confidential • Resource Requests – Confidential • Third Parties – Undesirable • Can We Overcome This?

  4. Related Work Private Matching • Alice and Bob possess separate databases • Alice wishes to determine intersection • Neither wishes to reveal non-matches Alice Bob

  5. Related Work Private Matching (AgES Protocol – Simplified) • Alice and Bob agree on commutative encryption (EA(EB(X)) = (EB(EA(X))) and hash functions • Generate secret encryption keys, A and B * • Generate hashes; encrypt hashes Alice Bob *Alice and Bob must generate new encryption keys each time they enter the private matching protocol

  6. Related Work Private Matching (AgES Protocol – Simplified) • Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) Bob’s Alice Bob Alice’s

  7. Related Work Private Matching (AgES Protocol – Simplified) • Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) • Re-encrypt encryptions (Bob saves originals) Bob’s Alice Bob Alice’s

  8. Related Work Private Matching (AgES Protocol – Simplified) • Bob returns the pairs; Alice matches on EA(h(X)) to get (X, EB(EA(h(X))) = (X, EA(EB(h(X))) • Alice finds matches for B and Y, the intersection Bob’s Alice Bob

  9. Related Work • Private Matching • Limited data ownership and need to know technique • More efficient/robust private pairing solution possible • Private Information Retrieval • Audit Logs • Searching on Encrypted Data –Requestors reveal searches to provider

  10. Behavioral Models • Semi-Honest (Honest But Curious) Behavior • Parties do not lie • Parties do attempt to derive additionalinformation if possible • Costs of lying may outweigh benefits • Malicious Behavior • Potentially dishonest parties • More realistic

  11. Private Resource Pairing… …under a Semi-Honest Behavior Model Basic Idea: • Setup: • Participants agree on a commutative encryption scheme and a hash function • Providers generate random encryption keys • Providers publish lexicographically-reordered encrypted hashes of their resource metadata to potential requestors or host servers • Providers publish signatures for servers

  12. Private Resource Pairing… …under a Semi-Honest Behavior Model Basic Idea: • Search and Acquisition: • Requestor generates new encryption/decryption key pair* • Requestor gives encrypted hash of desired metadata to provider • Provider re-encrypts using its key and returns • Requestor decrypts re-encryption • Requestor matches result against published values • For host servers, requestors acquire values and verify signatures • If match found, requestor asks provider for resources related to metadata *Requestors must generate new keys for each search

  13. Private Resource Pairing… …under a Semi-Honest Behavior Model Assumptions: • Requestor identity alone yields no private data • Providers publish data all at once, or publication order is irrelevant • In the case of host servers: • Requestors download all or no data from a server • Servers are unable to collude • Metadata is not fuzzy

  14. Private Resource Pairing… …under a Semi-Honest Behavior Model • Shortcomings of Semi-Honest Solution: • No enforcement of requestor need to know • No proof providers hold resources tied to published metadata • Malicious Model Must Address These Issues

  15. Private Resource Pairing… …under a Malicious Behavior Model Proving Requestor Need to Know: • Requestor Uses Two Tickets • First: • To receive re-encryption • Contains only encrypted metadata • Second: • To access metadata-related resources • Contains plaintext metadata

  16. Private Resource Pairing… …under a Malicious Behavior Model Proving Requestor Need to Know: • Tickets Supplier Must Distribute Tickets • Requestor must trust supplier with search metadata • Supplier can issue scope-limited tickets • Providers must be able to verify supplier trustworthiness • Suppliers should be unable to initiate searches • Assume suppliers and requestors cannot collude

  17. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Identity-Based Signatures • Verification key is identity • Master secret required to generate signing keys • Key Privacy in Public Key Cryptosystems • An adversary possessing a piece of ciphertext can gain no more than a negligible advantage in determining which public key out of a given set produced the ciphertext • RSA lacks this: C = Me mod n. If nAlice = 6, nBob = 10, C = 7, an adversary knows that Bob’s public key encrypted C

  18. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Two Cases: • Metadata Implies an Owner • Everyone knows the “owner” of resources related toevery piece of metadata • Example: Biometrics • Metadata Implies No Clear Owner • Metadata can imply many owners, or others areunable to accurately guess owners from metadata • Example: Keywords

  19. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Implies an Owner • System Privacy • A set of instantiations of an identity-based signature scheme exist with different master secrets • Adversary chooses an identity • Random instantiation produces the identity’s signature of a nonce (unknown to adversary) • The adversary receives the signature • System privacy exists if the adversary can gain no more than a negligible advantage in determining signing instantiation given some parameters

  20. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Implies an Owner • Owner (or Delegated Owner) Setup: • Owners agree on signature scheme • Identity-based scheme • System privacy • Owners independently generate master secrets • Owners publish verification parameters

  21. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Implies an Owner • Providers Acquire Proof: • Provider offers metadata, encrypted andunencrypted, to owner • Owner checks that encryption represents metadata • Private matching • Owners signs encryption using private key associated with the provider’s ID and return result • Provider checks signature • Provider publishes data

  22. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Implies an Owner • Requestor Verifies Proof: • Requestor downloads owner parameters • Requestor checks signatures (using provider ID as key) for a signature of the encrypted hash of desired metadata

  23. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Implies an Owner • If Owner Master Secret Compromised: • Owner needs new master secret • Only affects owner’s resources • How do we update signatures?

  24. Private Resource Pairing… …under a Malicious Behavior Model Proving Resource Possession: • Metadata Does Not Imply an Owner • Use Universal Resource Owner • Can be centralized or distributed • Providers must trust owner • Requestors need not reveal anything to universal owner • Problems exist: key revocation, master secret compromise

  25. Evaluation Private Resource Pairing vs. Private Matching • Private Resource Pairing: Semi-Honest Model • No known comparable protocol for malicious pairing protocol • Private Matching: AgES • Requestor served as querying party with a single-entry DB • Additional step for requestor to ask for resources • Ignored: • Server signature verification (implementation dependent) • Time to agree on hash/encryption function (same for both)

  26. Theoretical Evaluation Computational Cost (in Units of Cost)

  27. Theoretical Evaluation Communication Cost (in Units of Cost)

  28. Performance Evaluation • Implementation • Java-Based Implementation • Hash Function: SHA-1 • Commutative Encryption Function:Pohlig-Hellman with Common Modulus • Sort: Modified MergeSort (nlogn performance) • Number of Provider Metadata Items: 20

  29. Performance Evaluation Performance Comparison

  30. Evaluation Private Resource Pairing vs. Private Matching • Decrease in requestor computation time: 28.8% • Decrease in provider computation time: 98.6% • Pairing scales better than AgES • Potential AgES improvements: • Avoid changing keys • Avoid re-encryption

  31. Conclusion • Summary • Future Work • Time-Scoped Searching • System Privacy • Classification Levels • Untrusted Servers • Fuzzy Metadata • Many more…

  32. Thank You In Particular: • Alfred Weaver • David Evans • Brent Waters

  33. Questions?

More Related