Privacy-Preserving Transaction Escrow
Document Sample
Privacy-Preserving
Transaction Escrow
Stas Jarecki Pat Lincoln Vitaly Shmatikov
UC Irvine SRI International
Data Collection is a Threat to Privacy
Financial transaction records
• Detection of fraud and money laundering
Medical research databases
• Research queries
Computer network monitoring
• Intrusion detection
Law enforcement
• Airline passenger databases
(CAPPS II, JetBlue debacle, etc.)
Research question:
Can we enable (some) data monitoring
while protecting (some) data privacy?
Approaches To Privacy Protection
Access control
• Only trusted parties may initiate queries DB
• Disallow intruder from asking questions
Protected execution environments
• Required trusted computing platform DB
• Limit extraction of data
• Introduce random variations
?
Encrypted databases
• Rely on cryptographic techniques #QO@
• Even raw data do not leak information
DB
Access Control
Only allow trusted people to initiate queries
• In some medical databases, only 1 trusted individual is
authorized to perform queries
– Reviews suggested queries and their results for privacy implications
– Maintains per-user and global history of queries and responses
How to separate “good” and “bad” queries
in an untrusted computing environment?
• Government agency insiders can search internal
databases at whim
– IRS employees can snoop on their neighbors’ returns
• Purpose of a query may be hard to determine
– Visa knows all your credit card transactions
– HMO knows your entire medical history
Aldrich Ames
DB
Protected Execution
Restrict queries
Use digital rights management or data labeling
Randomize individual values preserving global
statistical properties
Suppress and generalize for k-anonymity
… none of these help against the attacker who
has access to the underlying database
This requires trusted computing platform
• How to specify and enforce data access policies?
Our Goal: Protect Data After Collection
Data collection agency Collected data
…
Data query attempt
10 1 0 0
01 0 0 1
Allowed queries are easy 11 1 1 0
10 0 1 0
Disallowed queries are infeasible 10 0 1 1
X 01 1 0 0
…
Research questions:
- What query patterns can be efficiently supported?
- How private can the “inaccessible” data remain?
Related Problems
Data collection agency Collected data
…
Data query attempt
10 1 0 0
01 0 0 1
Allowed queries are easy 11 1 1 0
10 0 1 0
Disallowed queries are infeasible 10 0 1 1
X 01 1 0 0
…
… stronger than privacy-preserving data mining
We want to have provable data privacy
… harder than search on encrypted data
In our threat model, data “creators” are not trusted to input correct data
– E.g., money launderers will try to avoid detection
Basic Problem: Efficient Subpoena
By default, all data should remain
inaccessible to the agency
• Data values are secret
• Data creators are anonymous
When some data creator U is subpoenaed,
all his data should be revealed to the agency
• Agency needs to escrow everyone’s data
• Once U is subpoenaed, agency must be able to efficiently
identify all escrows related to U and efficiently open them
• Everyone else’s data should remain inaccessible
Problems with Public-Key Escrow
Public-key escrow schemes provide
either privacy, or efficiency, but not both
Escrows are ciphertexts only: EPK{“U”,m}
• Full privacy
Very inefficient subpoena
– If the decryption key is threshold-shared between several trustees,
escrow agency must test each ciphertext by threshold decryption!!
Escrows tagged by creator’s identity: “U”, EPK{m}
• Subpoena is efficient
Privacy is compromised
– Escrow agency learns who makes transactions, when, how often,
whether transactions of U and U’ are correlated, etc.
Our Transaction Escrow Scheme
Transactions are escrowed in a way that makes
information available only for controlled use
• Efficient subpoena procedures (unlike public-key escrow)
• Assured privacy and anonymity for personal data
• Investigative pattern matching: escrows are opened
automatically when they match some pattern (and only then!)
No trusted parties
• Secure against malicious escrow agent
• Corrupt transaction participants cannot break privacy and
anonymity of transactions between honest parties
Provable security
• Reduction to Decisional Diffie-Hellman in Random Oracle Model
Verifiable Transaction Escrow
User Escrow agency
Escrow
Signed receipt
transaction Data access
(e.g., money transfer Proof of possession
to Caymans) of correct receipt Escrow
User proves that User’s data are
the escrow was revealed only if
formed correctly user is subpoenaed
Transaction counterparty (e.g., bank) Escrowed data
Escrows Must be Tagged
Subpoena: “John Doe’s wire transfers to Caymans”
user U type of transaction
Nondeterministic tags: tag=FPK($) (U, type)
• There might be an efficient procedure which identifies tags
corresponding to a given (U, type) “category”
• This takes at best 1 crypto op per each escrow
Inefficient for large data sets (10 million escrows = 1 day on PC)
Deterministic tags: tag=F(U, type)
• Identification of subpoenaed escrows takes O(1) crypto ops
regardless of the size of the database!
Deterministic Tags Require Private Keys
Efficient subpoena requires deterministic tagging
Public-key deterministic tagging functions are
vulnerable to guessing attacks
• If escrow is tagged with Tag=Fpk(U, type) where F is a publicly
computable deterministic function, then
privacy is still compromised
since agency can identify U’s escrows by re-computing Fpk(U,type)
Need a private tagging function instead
• Only the creator can compute the tag, using his private key
• The tagging function needs to be verifiable so that the creator can
prove that he has computed the tag correctly
“Good Enough” Privacy
New notion: “category-preserving” privacy
From two escrows e=Escrow{u, m, type}
e’=Escrow{u’, m’, type’}
?
agency learns only whether (u, type) = (u’, type’)
• u is creator’s identity, m is transaction description,
type is classification, e.g., “this is money transfer to Caymans”
Agency does not learn what these categories are
• The agency can tell that two transactions were performed by the
same person, but cannot tell who that person is
• The agency can tell that two escrows describe transactions of the
same type, but cannot determine what that type is
Category-Preserving Privacy
From two escrows e and e’ data collection agency
learns only whether category(e) = category(e’)
Weaker than perfect: agency learns that
correlated categories exist (but not what they are)
• If all escrows have the same category, then only one user is active
• If two categories always arrive together, they are “synchronized”
Good enough for massive data collection
• With high transaction rates, correlations will be hard to find
• Knowledge that some correlated categories exist seems harmless
Automatic Selective Revelation
Useful capability: automatic selective revelation
• Reveal all transactions of any person who made more than
t=5 wire transfers to the Caymans in the last month
• Escrows that do not match the condition must remain private
With nondeterministic tags, this is infeasible
• O(|D|t) crypto ops (at least 1 crypto op per each subset of size t)
With deterministic tags, this is easy
• Agency only needs to look at escrows with the same tag
Efficiency and “Good Enough” Privacy
User Escrow agency
Tagged escrow
Signed receipt
transaction Data access
(e.g., money transfer ZK proof of possession
to Caymans) of correct receipt Tagged escrow
Efficient subpoena &
automatic revelation
Transaction counterparty (e.g., bank) Escrowed data
Cryptographic Toolkit
User Escrow agency
Tagged escrow
Anonymous tag
Verifiable Verifiable random function
anonymous Encrypted transaction
encryption Private signature
Anonymous and private
signature, verifiable by
Signed receipt interaction with the signer
transaction
(e.g., money transfer ZK proof of possession
to Caymans) of correct receipt Tagged escrow
Transaction counterparty (e.g., bank) Escrowed data
Security Properties
Subjects of monitoring cannot cheat
Subpoena and revelation of correct escrows cannot be avoided
Malicious insiders of escrow agency are powerless
Category-preserving privacy protects data from agency insiders
Cannot frame individuals by inserting bogus records
Malicious transaction counterparties cannot help
the malicious escrow agency
• Escrow submission and receipt verification protocols are unlinkable
Naive Verifiability Violates Privacy
Tagged escrow (e)
User Escrow agency
Anonymous tag (t)
Transaction ciphertext (c)
transaction Private signature (s)
(e.g., money transfer
to Caymans) Tagged escrow
rcpt = SigEA(e)
(e, rcpt) Agency’s view:
(m, U, type) e=(t,c,s), rcpt
counterparty’s
view: Malicious counterparty links
(e, rcpt) tag t with category (U,type)
(m, U, type) and breaks privacy of U’s
transactions of this type
with honest counterparties
Counterparty Escrowed data
Verifiability with Unlinkable Signatures
Tagged escrow (e)
User Escrow agency
Anonymous tag (t)
Transaction ciphertext (c)
Agency’s view:
transaction Private signature (s)
(e, rcpt)
(e.g., money transfer
to Caymans)
rcpt = SigEA(e) Tagged escrow
U sends (m, U, type) +
ZK proof of Unlinkable signatures
possession of (e, rcpt) [Camenisch Lysyanskaya]
give us a signature
such that
Counterparty’s scheme with ZK proof of
1. e is a correct escrow signature possession
view: (m,U,type)
of (m, U, type)
2. rcpt = SigEA(e)
Counterparty Escrowed data
Automatic Selective Revelation
A share of the
Correctness Escrow database decryption key
verified
User
Decryption key is
recovered when
Same anonymous tag for pattern is matched
all related escrows from t related
escrows
Summary And Open Questions
Broader class of patterns for selective revelation
• Dynamically evolving patterns
• Patterns not specific to an individual user
Cumulative revelation criteria
• Reveal cumulative transactions once their total value reaches a
threshold (e.g., all transactions whose sum exceeds $10,000)
Relaxing PKI assumptions
• Is transaction escrow without users’ private keys possible?
Othernotions of privacy
Support for other data collection functionalities
Shared by: Lingjuan Ma
Lingjuan Ma
Engineer
MS
CAM
About
work for China Compulsory Certification. Some of the documents come from Internet, if you hold the copyright please contact me by huangcaijin@sohu.com
Related docs
Other docs by malj
