240 likes | 327 Views
ZQL a cryptographic compiler for processing private data. George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial. CraigMu’s review, Feb’12. Data Privacy. Privacy at odds with big data produced, processed, and stored Private data?
E N D
ZQLa cryptographiccompiler for processing private data George DanezisCédric Fournet Markulf KohlweissZhengqin Luo& Alfredo Rial CraigMu’s review, Feb’12
Data Privacy • Privacy at odds with big dataproduced, processed, and stored • Private data? • Personal, medical, financial, legal… • A controversial trust issue • Show-stopper when deploying new technology • High potential for negative press • Strong EU regulations • Wanted: generic tools forprivacy-friendly data processing(as in dolphin-friendly tuna)
Privacy-Preserving Smart Metering Utility Provider Smart Meter variable policy & rates certified readings(private data) price to pay + crypto evidence User, payingher monthly bill Only the monthly fee need to be sent back to the utility(not the detailed meter readings)
Pay-how-you-driveinsurance • Only the premium needs to be communicated to the insurance company certified pricing policy Insurance company certified location, speed and distance(private data) fee to pay + crypto evidence User, payingher insurance fee
Many similar problems • Integrityfor the verifier • Only the correct pricecan be proved • Privacy for the user • Concealing meter readings • Concealing locations, speed and distance (Partly) private user data Public pricing policy Conflicting goals:
So far, ad hoc cryptographic solutions • Bespoke privacy-preserving protocolsusing a mix of cryptographic mechanisms • Linear policies using homomorphic commitments • Cumulative policies using zero-knowledge proofs on CL-signatures • Penalty-based policies (Pay-how-you-drive) ? • Also many protocols for anonymous credentials, e-cash, e-voting • These protocols are available today,but they hard to design, implement, and deploy • We cannot involve cryptographersand security expertseach time we change the query or revise the service policy!
Goal: private data processing agreement ona data query certified public data • SELECT * • FROM … • WHERE … Reliable Data Providers Service, or Verifierin need ofvalid results query results+ cryptoevidence certifiedprivate data Client, or Proverin control of her data • a high-level language for querying data • an optimizing, verifying query compiler • selectscryptographic constructions • generates code for different platforms • verifies its security before deployment
Integrity and Privacy (Ideal) Trusted Third Party • SELECT * • FROM … • WHERE … “Ok.” Reliable Data Providers Service, or Verifierin need ofvalid results Client, or Proverin control of her data
ZQL: a language for querying private data • SQL [Structured Query Language, 1970—]:a fine declarative domain-specific languagefor querying relational DBs • ZQL [Zero-Knowledge Query Language]: a subset of SQL extended for cryptographic processing • privacy annotations • random sampling • hash, sign,… • big numbers for keys, group elements, exponents, … • The SQL theory carries over to ZQL, despite unusual data: • Useful algebraic properties • Efficient evaluation plans and representations (e.g. indexing)
Compiler Architecture • data privacyspecification • T1: … query expressed in SQL • Q(T1…Tn) queries expressedin SQL+crypto We generate a queryfor each participant,with matching I/Os ZQL compiler • Qverify • Tsign1 • Qprove F# generator C generator We emitcode for each participant • Qv.c • Qv.fs • T1.c • T1.fs • ZQL.fs • Qp.c • Qp.fs • crypto.fs referencehigh-level code in F# fast, portablelow-level code in C runtime libraries
Sample SQL query for Smart Metering The source query is: • Bill := • SELECT • time, • cost = reading * rate • FROM • Meter|><|Policy • WHERE • time in 1/1..31/1/2011 • fee := SUM costFROM Bill Consider billing with a variable-ratelinear policy
Inside ZQL:Compiling the metering query public rates public signed data secret data • Open := SELECTtime, reading, opening = RNG() FROMMeter • Commit:= SELECT time, commit = g^reading * h^openingFROMOpen • (2) the client now computestwo sums instead of one • (1) the meter generatesand signs commitments • (3) the utility checks them against the signed commitments • payment := • SUMreading * rate • FROMOpen |><|Policy • proof := • SUMopening * rate • FROM Open |><| Policy • g^payment * h^proof • =?= • PRODcommit ^ rateFROMCommit |><|Policy • g^payment * h^proof • = g^(SUM (reading * rate)) * h^(SUM (opening * rate)) • =PROD (g^reading* h^opening)^rate • = PROD commit^rate
Inside ZQL:Compiling pay-how-you-drive (outline) This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use • let Over=SELECT over =speed- max • FROM GPS |><|SpeedLimit • let total= • SUMpointsFROMOver|><|Penalty • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total
Inside ZQL:Compiling pay-how-you-drive (outline) This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use For each row in a join, the prover generates a zero-knowledge proof of knowledgeof a matching signed row in the policy table • let Over=SELECT over =speed- max • FROM GPS |><|SpeedLimit • let total= • SUMpointsFROMOver|><|Penalty • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total
Expressiveness & Performance • Linear overheadin the number of secrets Linear: 128 bytes/rowprove 300,000 row/S check 90,000 row/S Non-Linear: 6586 bytes/row prove 87 row/S check 41 row/S • Performance dominatedby bignum multiplications: • We rely on recent extensionsof core crypto algorithms(thanks to XCG) • When operating on secrets,wesupport a fragment of SQL • Linear expressions • Polynomials expressions • Table lookups • Inequalities • Current limitation: The shape of intermediatetables must be public • Fresh cryptography:vector commitments for implementing privateintermediate tables
Security? • T1: … • Q(T1…Tn) ZQL compiler F# generator • Qv.fs • T1.fs • Qp.fs • Our compiler automaticallygeneratecomplex protocolimplementations • Hard to test or review • How can the user tell whetherher privacy is preserved? • Our compiler then calls independent, automatedtools to verify that theseimplementationsare secure • Privacy: the service learns nothing more than the query result • Integrity: the user can build evidence only for the correct result
Security Verification (2003—) • We develop a cryptographic verification kitfor new protocol implementations [with A.D. Gordon, K. Bhargavan] • Tools: ProVerif, FS2PV, FS2CV, F7, F*… • Mostly for F#, with experiments for C and C# • We automatically verify large implementationsagainst precise cryptographic assumptions • Probabilistic security: “no secret information flows to the adversary” • Computational security: “except with a negligible probability, no adversary can…” • Verification case studies: • TLS 1.2 Internet Standard [with MSR-INRIA]; web services security • DKM for cloud data [with T. Acar, D.Shumow] deployed on MS datacenters • TPM2 [with P. England, D. Wooten, F. Dupressoir, and RISE] shipping with Win8
query expressed in SQL Towards a certifying ZQL Compiler • T1: … • Q(T1…Tn) We generate proof goalsand type annotations to keep track of query evaluations ZQL compiler F7 generator F# generator • ZQL.fs7 • Qv.fs • T1.fs • Qv.fs7 • T1.fs7 • Crypto.fs7 • Qp.fs • Qp.fs7 typed specification in F7 reference implementation in F# We use F7to automatically prove that implementations conform with their specifications F7 typing We get either a compile-time error (bug)or strong integrity & privacy theorems
ZQL: Privacy-Friendly Data Processing • With ZQL, clients process their own private data & services still get correct results • Programmers specify their SQL queries & privacy goals;we compile them into zero-knowledge protocols • The security of fresh crypto implementationscan be automatically verified (at compile-time)under standard security assumptions