Privacy-Preserving & User-Auditable Pseudonym Systems. Jan Camenisch, Anja Lehmann IBM Research Zurich

Transcription

1 Privacy-Preserving & User-Auditable Pseudonym Systems Jan Camenisch, Anja Lehmann IBM Research Zurich

2 Motivation: How to maintain related yet distributed data? examples: social security system, ehealth different entities maintain data of citizens eventually data needs to be exchanged or correlated Laboratory Health Insurance Doctor B Alice.1210 Bob.0411 Carol.2503 Bob.0411? Bob.0411 Carol.2503 Dave.1906 simple solution: data gets associated with globally unique identifiers (e.g., US, Belgium, Sweden,...) unique identifiers are security & privacy risk no control about data exchange & usage if associated data is lost, all pieces can be linked together user is fully traceable 2

3 Local Pseudonyms & Trusted Converter user data is associated with random looking local identifiers the pseudonyms only central entity the converter can link & convert pseudonyms Converter Main Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange from?? + if records are lost, pieces cannot be linked together Hba02 912uj sd7ab y2b4m 3

4 4 Local Pseudonyms & Trusted Converter user data is associated with random looking local identifiers the pseudonyms only central entity the converter can link & convert pseudonyms User Portal for Bob /26/2017 Unique Bob.0411 Converter Main Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange from?? + if records are lost, pieces cannot be linked together + converter can provide audit logs to users (GDPR-requirement) converter learns all request & knows all correlations Hba02 912uj sd7ab y2b4m

5 5 Privacy-Preserving Pseudonym System (CCS 15) user data is associated with random looking local identifiers the pseudonyms only central entity the converter can link & convert pseudonyms User Portal for Bob /26/2017 Unique Bob.0411 Converter Main Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange from?? + if records are lost, pieces cannot be linked together + converter can provide audit logs to users (GDPR-requirement) converter learns all request & knows all correlations Hba02 912uj sd7ab y2b4m

6 This work: Privacy-Preserving & User-Auditable Pseudonym System 6 user data is associated with random looking local identifiers the pseudonyms only central entity the converter can link & convert pseudonyms User Portal for Bob /26/2017 Unique Bob.0411 Converter Main Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange from?? + if records are lost, pieces cannot be linked together + converter can provide audit logs to users (GDPR-requirement) converter learns all request & knows all correlations Hba02 912uj sd7ab y2b4m

7 (Un)linkable Pseudonyms Pseudonym Generation user, converter & server jointly derive pseudonyms from unique identifiers Converter Hba02 912uj Unique Bob.0411 previous work [CL15]: generation required converter to know user s this work: oblivious pseudonym generation triggered by user sd7ab y2b4m 7

8 (Un)linkable Pseudonyms Pseudonym Conversion only converter can link & convert pseudonyms, but does so in a blind way Converter at? blind conversion at at blind conversion request unblinding conversion response?? Hba02 912uj sd7ab y2b4m 8

9 (Un)linkable Pseudonyms Pseudonym Conversion & Audit Logs only converter can link & convert pseudonyms, but does so in a blind way every conversion triggers blind generation of audit log entry Audit Bulletin Board. 02/26/2017 Converter at? Unique Bob.0411 blind conversion audit log entries are only accessible by the affected user at at blind conversion request unblinding conversion response?? Hba02 912uj sd7ab y2b4m 9

10 (Un)linkable Pseudonyms Consistency pseudonym conversions & generatios are fully consistent conversions are transitive, unlinkable data can be aggregated Invoice for Hba02 Converter 912uj Invoice for Invoice for RtE14 Insurance 6Wz6P fx4o7 RtE14 $ $ $ sd7ab y2b4m 10

11 Our Protocol high-level idea of convertible pseudonyms adding (efficient) auditability security against active adversaries

12 High-level Idea Pseudonym Generation Core Idea Generation: X blindly computes nym i,a PRF(k,uid i ) x A pk A,sk A [1] X and U i jointly compute z i OPRF(k,uid i ) k, for each server: x A, x B, x C, C nym [3] X blindly computes nym i,a C nym C nym xa nym i,a [4] S A decrypts pseudonym nym i,a Dec(sk A,C nym ) [2] Ui encrypts z i for S A C nym Enc(pk A,z i ) z i C nym uid i 12

13 High-level Idea Pseudonym Conversion Core Idea Generation: X blindly computes nym i,a PRF(k,uid i ) x A Conversion: X blindly computes nym i,b nym i,a xb / xa [1] S A encrypts nym i,a under S B 's key C Enc(pk B, nym i,a ) C, S B, qid pk A,sk A nym i,a k, for each server: x A, x B, x C, C', S A, qid [2] X blindly transforms encrypted pseudonym C' C Δ with Δ = x B / x A C = Enc(pk B, nym i,a ) x B / xa C ' = Enc(pk B, PRF(k,uid i ) x A ) x B / xa C ' = Enc(pk B, PRF(k,uid i ) x B ) C = Enc(pk B, nym i,b ) Server B pk B,sk B nym i,b [3] S B decrypts converted pseudonym nym i,b Dec(sk B, C') 13

14 High-level Idea NymRequest NymResponse nym i,a Generation Conversion ConvRequest nym i,a ConvResponse Server B nym i,b 14

15 High-level Idea Adding Auditability usk, upk upk is randomizable encryption key upk RAND(upk) decrypt all audit ciphertexts: info Dec(usk,C*)? NymRequest, upk NymResponse, upk nym i,a, upk Generation Conversion ConvRequest, upk nym i,a, upk Audit Bulletin Board C* C* Enc(upk, info) ConvResponse, upk Server B nym i,b, upk 15

16 High-level Idea Adding Efficient Auditability (via Audit Tags) decrypt ciphertext for T A : info Dec(usk,C*) usk, upk, {T A } NymRequest, upk, C T C T Enc(pk A, T A ) for random T A NymResponse, upk, C T nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A nym i,a, upk, T A Audit Bulletin Board T A, C* C* Enc(upk, info) ConvResponse, upk Server B nym i,b, upk 16

17 High-level Idea Adding Efficient Auditability (via Audit Tags) usk, upk, {T A, T A, } decrypt ciphertext for T A : info Dec(usk,C*) C T Enc(pk A, T A ) for random T A get new audit tags for T A : T A Dec(usk, C* TA ) NymRequest, upk, C T NymResponse, upk, C T nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A, C* TA nym i,a, upk, T A Audit Bulletin Board T A, C* Tag Chain: T A, C* TA C* Enc(upk, info) ConvResponse, upk T A C* TA Enc(upk, T A ) for random T A Server B nym i,b, upk 17

18 High-level Idea Adding Efficient Auditability (via Audit Tags) usk, upk, {T A, T A, T B } decrypt ciphertext for T A : info Dec(usk,C*) C T Enc(pk A, T A ) for random T A get new audit tags for T A : T A Dec(usk, C* TA ) T B Dec(usk, C* TB ) NymRequest, upk, C T NymResponse, upk, C T nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A, C* TA nym i,a, upk, T A Audit Bulletin Board T A, C* Tag Chain: T A, C* TA T A, C* TB C* Enc(upk, info) ConvResponse, upk C* TB T A C* TA Enc(upk, T A ) for random T A Server B nym i,b, upk, T B C* TB Enc(upk, T B ) for random T B 18

19 High-level Idea Security against Active Adversaries decrypt ciphertext for T A : info Dec(usk,C*) get new audit tags for T A : T A Dec(usk, C* TA ) T B Dec(usk, C* TB ) usk, upk, {T A, T A, T B } C T Enc(pk A, T A ) for random T A NymRequest, upk, C T NymResponse, upk, C T Signature scheme for homomorphic encodings nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A, C* TA, π A nym i,a, upk, T A Audit Bulletin Board T A, C* Tag Chain: T A, C* TA T A, C* TB C* Enc(upk, info) ConvResponse, upk C* TB T A C* TA Enc(upk, T A ) for random T A Server B nym i,b, upk, T B C* TB Enc(upk, T B ) for random T B 19

20 (Un)linkable & Auditable Pseudonyms Security & Efficiency provably secure construction in the Universal Composability (UC) framework based on homomorphic encryption scheme (ElGamal encryption) homomorphic encryption scheme with re-randomizable public keys (ElGamal-based) oblivious pseudorandom function with committed outputs (based on Dodis-Yampolskiy-PRF) signature scheme for homomorphic encoding functions (based on Groth signature scheme) zero-knowledge proofs (Fiat-Shamir NIZKs) commitment scheme (ElGamal based) secure against actively corrupt users & servers, and honest-but-curious converter concrete instantiation ~50ms computational time per party for conversion 20

21 (Un)linkable & Auditable Pseudonyms Summary pseudonym scheme for (un)linkable data storage with controlled & auditable data exchange pseudonyms can only be linked via a central, but oblivious converter oblivious converter blindly generates user-centric audit logs conversions & audit logs are done in a blind way converter must not be a trusted entity paradigm shift: unlinkability per default, linkability only when necessary Thanks! Questions? anj@zurich.ibm.com 21

22 (Un)linkable & Auditable Pseudonyms Efficiency

23 (Un)linkable Pseudonyms Corruption Model Audit Bulletin Board Converter? Hba02 912uj Unique Bob.0411 sd7ab y2b4m servers and users can be fully corrupt converter at most honest-but-curious 23

24 (Un)linkable Pseudonyms Consistency pseudonym generation is deterministic & consistent with blind conversion Converter Hba02 912uj Unique Bob.0411 sd7ab y2b4m 24

25 (Un)linkable Pseudonyms Consistency pseudonym conversions are transitive, unlinkable data can be aggregated Invoice for Hba02 Converter 912uj Invoice for Invoice for RtE14 Insurance 6Wz6P fx4o7 RtE14 $ $ $ sd7ab y2b4m 25