Vasilios Mavroudis,Andrea Cerulli,Petr Svenda,Dan Cvrcek,Dusan Klinec,George Danezis

DOI: https://doi.org/10.48550/arXiv.1709.03817

2017-10-29

Abstract:The semiconductor industry is fully globalized and integrated circuits (ICs) are commonly defined, designed and fabricated in different premises across the world. This reduces production costs, but also exposes ICs to supply chain attacks, where insiders introduce malicious circuitry into the final products. Additionally, despite extensive post-fabrication testing, it is not uncommon for ICs with subtle fabrication errors to make it into production systems. While many systems may be able to tolerate a few byzantine components, this is not the case for cryptographic hardware, storing and computing on confidential data. For this reason, many error and backdoor detection techniques have been proposed over the years. So far all attempts have been either quickly circumvented, or come with unrealistically high manufacturing costs and complexity. This paper proposes Myst, a practical high-assurance architecture, that uses commercial off-the-shelf (COTS) hardware, and provides strong security guarantees, even in the presence of multiple malicious or faulty components. The key idea is to combine protective-redundancy with modern threshold cryptographic techniques to build a system tolerant to hardware trojans and errors. To evaluate our design, we build a Hardware Security Module that provides the highest level of assurance possible with COTS components. Specifically, we employ more than a hundred COTS secure crypto-coprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added.

Cryptography and Security

Heping Jia,Yi Ding,Rui Peng

DOI: https://doi.org/10.1109/icsrs.2018.8688837

2018-01-01

Abstract:With the deep integration of cyber physical systems, data storage systems might suffer from both physical failures and cyber attacks which significantly impact the systems' reliability. The data can be partitioned into several data parts to enhance data security and multiple replications can be created for each data part in the storage systems. In this paper, both the failures of data storage devices and cyber attacks including data theft and data corruption are considered in the proposed system model. Moreover, the multi-valued decision diagram (MDD) technique is developed for considering chronological characteristics of sequential events to achieve the quantitative reliability assessment. A numerical example is provided to validate the proposed model and method.

Carmit Hazay,Muthuramakrishnan Venkitasubramaniam,Mor Weiss

DOI: https://doi.org/10.1007/s00145-024-09524-3

2024-11-01

Journal of Cryptology

Abstract:Leakage-resilient cryptography aims to protect cryptographic primitives from so-called "side channel attacks" that exploit their physical implementation to learn their input or secret state. Starting from the works of Ishai, Sahai and Wagner (CRYPTO'03) and Micali and Reyzin (TCC'04), most works on leakage-resilient cryptography either focus on protecting general computations, such as circuits or multiparty computation protocols, or on specific non-interactive primitives such as storage, encryption, and signatures. This work focuses on leakage resilience for the middle ground, namely for distributed and interactive cryptographic primitives. Our main technical contribution is designing the first secret sharing scheme that is equivocal , resists adaptive probing of a constant fraction of bits from each share, while incurs only a constant blowup in share size. Equivocation is a strong leakage-resilience guarantee, recently introduced by Hazay et al. (ITC, 2021). Our construction is obtained via a general compiler which we introduce, that transforms any secret sharing scheme into an equivocal scheme against adaptive leakage. An attractive feature of our compiler is that it respects additive reconstruction; namely, if the original scheme has additive reconstruction, then the transformed scheme has linear reconstruction. We extend our compiler to a general paradigm for protecting distributed primitives against leakage and show its applicability to various primitives, including secret sharing, verifiable secret sharing, function secret sharing, distributed encryption and signatures, and distributed zero-knowledge proofs. For each of these primitives, our paradigm transforms any construction of the primitive into a scheme that resists adaptive party corruptions, as well as adaptive probing leakage of a constant fraction of bits in each share when the share is stored in memory (but not when it is used in computations). Moreover, the transformation incurs only a constant blowup in the share size and respects additive reconstruction—an important feature for several of these primitives, such as function secret sharing and distributed encryption.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Narges Kazempour,Mahtab Mirmohseni,Mohammad Reza Aref

DOI: https://doi.org/10.1007/s10207-024-00917-w

2024-11-13

International Journal of Information Security

Abstract:Most of the security services in the connected world of cyber-physical systems necessitate authenticating a large number of nodes privately. In this paper, the private authentication problem is considered which consists of a certificate authority, a verifier (or some verifiers), many legitimate users (provers), and an arbitrary number of attackers. Each legitimate user wants to be authenticated (using his personal key) by the verifier(s), while simultaneously staying completely anonymous (even to the verifier). On the other hand, an attacker must fail to be authenticated. We analyze this problem from an information-theoretic perspective and propose a general interactive information-theoretic model for the problem. As a metric to measure the reliability, we consider the normalized total key rate whose maximization has a trade-off with establishing privacy. The problem is considered in two different scenarios: single-server scenario (only one verifier is considered, to which all the provers are connected) and multi-server scenario ( N verifiers are assumed, where each verifier is connected to a subset of users). For both scenarios, two regimes are considered: finite size regime (i.e., the variables are elements of a finite field) and asymptotic regime (i.e., the variables are considered to have large enough length). We propose achievable schemes that satisfy the completeness, soundness, and privacy properties in both single-server and multi-server scenarios. In the finite size regime, the main idea is to generate the authentication keys according to a secret sharing scheme. We show that the proposed scheme in the special case of multi-server authentication in the finite size regime is optimal. In the asymptotic regime, we use a random binning-based scheme that relies on the joint typicality to generate the authentication keys. Moreover, providing the converse proof, we show that our scheme achieves capacity in the asymptotic regime both in the single-server and multi-server scenarios.

computer science, information systems, theory & methods, software engineering

Nikolaus von Bomhard,Bernd Ahlborn,Catherine Mason,Ulrich Mansmann

DOI: https://doi.org/10.1371/journal.pone.0202752

2018-07-27

Abstract:A growing framework of legal and ethical requirements limit scientific and commercial evalua-tion of personal data. Typically, pseudonymization, encryption, or methods of distributed com-puting try to protect individual privacy. However, computational infrastructures still depend on human system administrators. This introduces severe security risks and has strong impact on privacy: system administrators have unlimited access to the computers that they manage in-cluding encryption keys and pseudonymization-tables. Distributed computing and data obfuscation technologies reduce but do not eliminate the risk of privacy leakage by administrators. They produce higher implementation effort and possible data quality degradation. This paper proposes the Trusted Server as an alternative approach that provides a sealed and inaccessible computational environment in a cryptographically strict sense. During operation or by direct physical access to storage media, data stored and processed inside the Trusted Server can by no means be read, manipulated or leaked, other than by brute-force. Thus, secure and privacy-compliant data processing or evaluation of plain person-related data becomes possible even from multiple sources, which want their data kept mutually secret.

Cryptography and Security,Computers and Society

Sylvain Bellemare

2024-10-09

Abstract:A niche corner of the Web3 world is increasingly making use of hardware-based Trusted Execution Environments (TEEs) to build decentralized infrastructure. One of the motivations to use TEEs is to go beyond the current performance limitations of cryptography-based alternatives such as zero-knowledge proofs (ZKP), fully homomorphic encryption (FHE), and multi-party computation (MPC). Despite their appealing advantages, current TEEs suffer from serious limitations as they are not secure against physical attacks, and their attestation mechanism is rooted in the chip manufacturer's trust. As a result, Web3 applications have to rely on cloud infrastruture to act as trusted guardians of hardware-based TEEs and have to accept to trust chip manufacturers. This work aims at exploring how we could potentially architect and implement chips that would be secure against physical attacks and would not require putting trust in chip manufacturers. One goal of this work is to motivate the Web3 movement to acknowledge and leverage the substantial amount of relevant hardware research that already exists. In brief, a combination of: (1) physical unclonable functions (PUFs) to secure the root-of-trust; (2) masking and redundancy techniques to secure computations; (3) open source hardware and imaging techniques to verify that a chip matches its expected design; can help move towards attesting that a given TEE can be trusted without the need to trust a cloud provider and a chip manufacturer.

Cryptography and Security,Hardware Architecture,Emerging Technologies

Stav Buchsbaum,Ran Gilad-Bachrach,Yehuda Lindell

DOI: https://doi.org/10.48550/arXiv.1810.02066

2018-10-04

Abstract:In many cases, assessing the quality of goods is hard. For example, when purchasing a car, it is hard to measure how pollutant the car is since there are infinitely many driving conditions to be tested. Typically, these situations are considered under the umbrella of information asymmetry and as Akelrof showed may lead to a market of lemons. However, we argue that in many of these situations, the problem is not the missing information but the computational challenge of obtaining it. In a nut-shell, if verifying the value of goods requires a large amount of computation or even infinite amounts of computation, the buyer is forced to use a finite test that samples, in some sense, the quality of the goods. However, if the seller knows the test, then the seller can over-fit the test and create goods that pass the quality test despite not having the desired quality. We show different solutions to this situation including a novel approach that uses secure computation to hide the test from the seller to prevent over-fitting.

Computer Science and Game Theory,Cryptography and Security

Arpita Ghosh,Katrina Ligett,Aaron Roth,Grant Schoenebeck

DOI: https://doi.org/10.1145/2600057.2602902

2014-06-01

Abstract:We consider the problem of designing a survey to aggregate non-verifiable information from a privacy-sensitive population: an analyst wants to compute some aggregate statistic from the private bits held by each member of a population, but cannot verify the correctness of the bits reported by participants in his survey. Individuals in the population are strategic agents with a cost for privacy, ie, they not only account for the payments they expect to receive from the mechanism, but also their privacy costs from any information revealed about them by the mechanism's outcome---the computed statistic as well as the payments---to determine their utilities. How can the analyst design payments to obtain an accurate estimate of the population statistic when individuals strategically decide both whether to participate and whether to truthfully report their sensitive information' We design a differentially private peer-prediction mechanism [Miller et al. 2005] that supports accurate estimation of the population statistic as a Bayes-Nash equilibrium in settings where agents have explicit preferences for privacy. The mechanism requires knowledge of the marginal prior distribution on bits bi, but does not need full knowledge of the marginal distribution on the costs ci, instead requiring only an approximate upper bound. Our mechanism guarantees ε-differential privacy to each agent i against any adversary who can observe the statistical estimate output by the mechanism, as well as the payments made to the n-1 other agents j ≠ i. Finally, we show that with slightly more structured assumptions on the privacy cost functions of each agent [Chen et al. 2013], the cost of running the survey goes to 0 as the number of agents diverges.

Lex Bailey,Jim Woodcock,Simon Foster,Roberto Metere

2023-09-08

Abstract:The severity of recent vulnerabilities discovered on modern CPUs, e.g., Spectre [1], highlights how information leakage can have devas-tating effects to the security of computer systems. At the same time, it suggests that confidentiality should be promoted as a normal part of program verification, to discover and mitigate such vulnerabili-ties early in development. The theory we propose is primarily based on Bank's theory [2], a framework for reasoning about confidentiali-ty properties formalised in the Unifying Theories of Programming (UTP) [3]. We mechanised our encoding in the current implementa-tion of UTP in the Isabelle theorem prover, Isabelle/UTP [4]. We have identified some theoretical issues in Bank's original framework. Finally, we demonstrate how our mechanisation can be used to for-mally verify of some of the examples from Bank's work.

Cryptography and Security

Eldon Chung

2024-06-24

Abstract:In this thesis, we study extensions of statistical cryptographic primitives. In particular we study leakage-resilient secret sharing, non-malleable extractors, and immunized ideal one-way functions. The thesis is divided into three main chapters. In the first chapter, we show that 2-out-of-2 leakage resilient (and also non-malleable) secret sharing requires randomness sources that are also extractable. This rules out the possibility of using min-entropic sources. In the second, we introduce collision-resistant seeded extractors and show that any seeded extractor can be made collision resistant at a small overhead in seed length. We then use it to give a two-source non-malleable extractor with entropy rate 0.81 in one source and polylogarithmic in the other. The non-malleable extractor lead to the first statistical privacy amplification protocol against memory tampering adversaries. In the final chapter, we study the hardness of the data structure variant of the 3SUM problem which is motivated by a recent construction to immunise random oracles against pre-processing adversaries. We give worst-case data structure hardness for the 3SUM problem matching known barriers in data structures for adaptive adversaries. We also give a slightly stronger lower bound in the case of non-adaptivity. Lastly, we give a novel result in the bit-probe setting.

Cryptography and Security

Nicolae Constantinescu

DOI: https://doi.org/10.48550/arXiv.1202.5921

2012-02-28

Abstract:One of the main problems in cryptography is to give criteria to provide good comparators of cipher systems. The security of a cipher system must include the security of the algorithm, the security of the key generator and management module (see [BM94], [CM97],[Mau92a]) and the security of the cryptographic key agreement protocol (see [Mau93a],[MC94],[Mau93b],[Mau92b]). This paper gives show the necessary mathematical background to estimate the most important cryptographic measures of the key generators and of the unconditionally key agreement protocols. These cryptographic measures are the Shannon entropy (for the key generator module) and Renyi entropy of order alpha for the key agreement protocol.

Cryptography and Security

Yuanhao Wang,Qiong Huang,Hongbo Li,Jianye Huang,Guomin Yang,Willy Susilo

DOI: https://doi.org/10.1109/access.2019.2940646

IF: 3.9

2019-01-01

IEEE Access

Abstract:Due to the massive growth of data and security concerns, data of patients would be encrypted and outsourced to the cloud server for feature matching in various medical scenarios, such as personal health record systems, actuarial judgments and diagnostic related groups. Public key encryption with equality test (PKEET) is a useful utility for encrypted feature matching. Authorized tester could perform data matching on encrypted data without decrypting. Unfortunately, due to the limited terminology in medicine, people within institutions may illegally use data, trying to obtain information through traversal methods. In this paper we propose a new PKEET notion, called public-key authenticated encryption with designated equality test (PKAE-DET), which could resist this kind of attacks launched by an inside adversary, known as offline message recovery attacks (OMRA). We propose a concrete construction of PKAE-DET, which only requires one single server to perform the feature matching job securely, and does not require any group mechanism. We prove its security based on some simple mathematical assumptions. Experimental results show that our scheme has efficiency comparable with those PKEET schemes which do not resist OMRA attacks or require group mechanism. We further show how our scheme could be effectively used in diagnostic related groups in medicine, demonstrating its practicability.

Andrea Flamini,Giada Sciarretta,Mario Scuro,Amir Sharif,Alessandro Tomasi,Silvio Ranise

2024-01-16

Abstract:Verifiable credentials are a digital analogue of physical credentials. Their authenticity and integrity are protected by means of cryptographic techniques, and they can be presented to verifiers to reveal attributes or even predicates about the attributes included in the credential. One way to preserve privacy during presentation consists in selectively disclosing the attributes in a credential. In this paper we present the most widespread cryptographic mechanisms used to enable selective disclosure of attributes identifying two categories: the ones based on hiding commitments - e.g., mdl ISO/IEC 18013-5 - and the ones based on non-interactive zero-knowledge proofs - e.g., BBS signatures. We also include a description of the cryptographic primitives used to design such cryptographic mechanisms. We describe the design of the cryptographic mechanisms and compare them by performing an analysis on their standard maturity in terms of standardization, cryptographic agility and quantum safety, then we compare the features that they support with main focus on the unlinkability of presentations, the ability to create predicate proofs and support for threshold credential issuance. Finally we perform an experimental evaluation based on the Rust open source implementations that we have considered most relevant. In particular we evaluate the size of credentials and presentations built using different cryptographic mechanisms and the time needed to generate and verify them. We also highlight some trade-offs that must be considered in the instantiation of the cryptographic mechanisms.

Cryptography and Security

Marcus Birgersson,Cyrille Artho,Musard Balliu

2024-10-14

Abstract:Many applications benefit from computations over the data of multiple users while preserving confidentiality. We present a solution where multiple mutually distrusting users' data can be aggregated with an acceptable overhead, while allowing users to be added to the system at any time without re-encrypting data. Our solution to this problem is to use a Trusted Execution Environment (Intel SGX) for the computation, while the confidential data is encrypted with the data owner's key and can be stored anywhere, without trust in the service provider. We do not require the user to be online during the computation phase and do not require a trusted party to store data in plain text. Still, the computation can only be carried out if the data owner explicitly has given permission. Experiments using common functions such as the sum, least square fit, histogram, and SVM classification, exhibit an average overhead of $1.6 \times$. In addition to these performance experiments, we present a use case for computing the distributions of taxis in a city without revealing the position of any other taxi to the other parties.

Cryptography and Security

Zhenhua Chen,Shundong Li,Qiong Huang,Jianhua Yan,Yong Ding

DOI: https://doi.org/10.6633/ijns.201609.18(5).11

2016-01-01

Abstract:In this paper, we propose a joint random secret sharing scheme with public verifiability. It is practical in distributed environment. Utilizing additive homomorphism, a random secret will be corporately constructed by some participants, which avoids the need for a mutually trusted dealer. In addition, we explore the technique of homomorphic verification and that of bilinear pairing to allow each participant to publicly verify whether the received shares are consistent. The verification process in our scheme is unconditionally secure and non-interactive without using Fiat-Shamir technique or any additional zero knowledge proof, which is simple and higher efficient compared with previously known. Lastly, as an applied example of our work, we present how our techniques can be applied to handle dynamic node-join in mobile ad hoc network.

Pavel Hubáček,Sunoo Park

DOI: https://doi.org/10.48550/arXiv.1411.3747

2014-11-14

Abstract:In this work we apply methods from cryptography to enable any number of mutually distrusting players to implement broad classes of mediated equilibria of strategic games without the need for trusted mediation. Our implementation makes use of a (standard) pre-play "cheap talk" phase, in which players engage in free and non-binding communication prior to playing in the original game. In our cheap talk phase, the players execute a secure multi-party computation protocol to sample an action profile from an equilibrium of a "cryptographically blinded" version of the original game, in which actions are encrypted. The essence of our approach is to exploit the power of encryption to selectively restrict the information available to players about sampled action profiles, such that these desirable equilibria can be stably achieved. In contrast to previous applications of cryptography to game theory, this work is the first to employ the paradigm of using encryption to allow players to benefit from hiding information \emph{from themselves}, rather than from others; and we stress that rational players would \emph{choose} to hide the information from themselves.

Computer Science and Game Theory

Ee-Chien Chang,Jia Xu

DOI: https://doi.org/10.1007/978-3-540-88313-5_15

2008-01-01

Abstract:We are interested in this problem: a verifier, with a small and reliable storage, wants to periodically check whether a remote server is keeping a large file x. A dishonest server, by adapting the challenges and responses, tries to discard partial information of x and yet evades detection. Besides the security requirements, there are considerations on communication, storage size and computation time. Juels et al. [10] gave a security model for Proof of Retrievability (\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{POR}$\end{document}) system. The model imposes a requirement that the original x can be recovered from multiple challenges-responses. Such requirement is not necessary in our problem. Hence, we propose an alternative security model for Remote Integrity Check (\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{RIC}$\end{document}). We study a few schemes and analyze their efficiency and security. In particular, we prove the security of a proposed scheme HENC. This scheme can be deployed as a \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{POR}$\end{document} system and it also serves as an example of an effective \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{POR}$\end{document} system whose “extraction” is not verifiable. We also propose a combination of the RSA-based scheme by Filho et al. [7] and the ECC-based authenticator by Naor et al. [12], which achieves good asymptotic performance. This scheme is not a \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{POR}$\end{document} system and seems to be a secure \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{RIC}$\end{document}. In-so-far, all schemes that have been proven secure can also be adopted as \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathcal{POR}$\end{document} systems. This brings out the question of whether there are fundamental differences between the two models. To highlight the differences, we introduce a notion, trap-door compression, that captures a property on compressibility.

Wan-Guan Chang,Kai-Chun Chen,Kai-Siang Chen,Shin-Liang Chen,Yeong-Cherng Liang

2024-05-04

Abstract:In the development of quantum technologies, a reliable means for characterizing quantum devices is crucial. However, the conventional approach based on, e.g., quantum state tomography or process tomography relies on assumptions often not necessarily justifiable in a realistic experimental setting. While the device-independent approach to this problem bypasses the shortcomings above by making only minimal, justifiable assumptions, most of the theoretical proposals to date only work in the idealized setting where i.i.d. trials are assumed. Here, we provide a versatile solution for rigorous device-independent certification that does not rely on the i.i.d. assumption. Specifically, we describe how the prediction-based-ratio (PBR) protocol and martingale-based protocol developed for hypothesis testing can be applied in the present context to achieve a device-independent certification of desirable properties with confidence interval. To illustrate the versatility of these methods, we demonstrate how we can use them to certify, with finite data, the underlying negativity, Hilbert space dimension, entanglement depth, and fidelity to some target pure state. In particular, we give examples showing how the amount of certifiable negativity and fidelity scales with the number of trials, and how many experimental trials one needs to certify a qutrit state space, or the presence of genuine tripartite entanglement. Overall, we have found that the PBR protocol and the martingale-based protocol often offer similar performance, even though the former does have to presuppose any witness. In contrast, our findings also show that the performance of the martingale-based protocol may be severely affected by one's choice of the witness. Intriguingly, a witness useful for self-testing does not necessarily give the optimal confidence-gain rate for certifying the fidelity to the corresponding target state.

Quantum Physics

Sebastien Gambs,Samuel Ranellucci,and Alain Tapp

DOI: https://doi.org/10.48550/arXiv.1409.2432

2014-09-09

Abstract:In the current architecture of the Internet, there is a strong asymmetry in terms of power between the entities that gather and process personal data (e.g., major Internet companies, telecom operators, cloud providers, ...) and the individuals from which this personal data is issued. In particular, individuals have no choice but to blindly trust that these entities will respect their privacy and protect their personal data. In this position paper, we address this issue by proposing an utopian crypto-democracy model based on existing scientific achievements from the field of cryptography. More precisely, our main objective is to show that cryptographic primitives, including in particular secure multiparty computation, offer a practical solution to protect privacy while minimizing the trust assumptions. In the crypto-democracy envisioned, individuals do not have to trust a single physical entity with their personal data but rather their data is distributed among several institutions. Together these institutions form a virtual entity called the Trustworthy that is responsible for the storage of this data but which can also compute on it (provided first that all the institutions agree on this). Finally, we also propose a realistic proof-of-concept of the Trustworthy, in which the roles of institutions are played by universities. This proof-of-concept would have an important impact in demonstrating the possibilities offered by the crypto-democracy paradigm.

Cryptography and Security,Computers and Society

Sylvain Chatel,Apostolos Pyrgelis,Juan R. Troncoso-Pastoriza,Jean-Pierre Hubaux

DOI: https://doi.org/10.48550/arXiv.2007.04025

2020-07-08

Cryptography and Security

Abstract:In the digital era, users share their personal data with service providers to obtain some utility, e.g., access to high-quality services. Yet, the induced information flows raise privacy and integrity concerns. Consequently, cautious users may want to protect their privacy by minimizing the amount of information they disclose to curious service providers. Service providers are interested in verifying the integrity of the users' data to improve their services and obtain useful knowledge for their business. In this work, we present a generic solution to the trade-off between privacy, integrity, and utility, by achieving authenticity verification of data that has been encrypted for offloading to service providers. Based on lattice-based homomorphic encryption and commitments, as well as zero-knowledge proofs, our construction enables a service provider to process and reuse third-party signed data in a privacy-friendly manner with integrity guarantees. We evaluate our solution on different use cases such as smart-metering, disease susceptibility, and location-based activity tracking, thus showing its versatility. Our solution achieves broad generality, quantum-resistance, and relaxes some assumptions of state-of-the-art solutions without affecting performance.