fast privacy preserving punch cards why go digital
play

Fast Privacy-Preserving Punch Cards Why go digital? Customer - PowerPoint PPT Presentation

Mar 29, 2024 •272 likes •754 views

Fast Privacy-Preserving Punch Cards Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit

  1. Fast Privacy-Preserving Punch Cards

  6. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  7. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  8. Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless

  9. Why go digital? Why NOT go digital? Customer convenience Digital loyalty programs can be data-stealing monsters* No lost cards Better bookkeeping Hard to Counterfeit Contactless

  10. Can we get the benefits of digital loyalty programs Why go digital? Why NOT go digital? without sacrificing privacy? Customer convenience Digital loyalty programs can be data-stealing monsters* No lost cards Better bookkeeping Hard to Counterfeit Contactless

  11. Existing Approaches Anonymous credentials, eCash, uCentive - Give customers an unlinkable token for each purchase - Customer redeems by presenting a bunch of tokens - Work scales linearly in the number of hole punches

  12. Existing Approaches Recent line of work: BBA [JR16] , BBA+ [HHNR17] , UACS [BBDE19] , Bobolz et al. [BEKS20] - “Black-box accumulation”/“Updatable anonymous credentials” - Punch card storage and performance independent of number of punches - Support for broader functionalities - e.g., Offline double spending, negative points, partial redemption - Performance could be improved -- reliance on pairings, involved proofs - Mismatch between scheme and punch card deployment scenario

  13. Our Work Focus on real requirements for punch cards: - No long-term user identity tied to a public key - No server work to issue cards (avoids DoS) - Minimizes round complexity

  14. Our Work Focus on real requirements for punch cards: - No long-term user identity tied to a public key - No server work to issue cards (avoids DoS) - Minimizes round complexity Improves performance: - Removes reliance on pairings - 14x faster card punch, 25x less communication - 394x faster card redemption, 62x less communication

  15. Punch Card Functionality Server setup: initialize server secrets, database of redeemed cards Card issuance: issue a fresh punch card Card punch: add a punch to an existing punch card Card redemption/validation: submit a completed punch card for a reward

  16. Punch Card Security Privacy: Server can’t link any issuances, punches, or redemptions to each other Server can simulate everything it sees when issuing/punching/redeeming a card. Soundness: Client can’t redeem more punches than it has received Challenger allows adversary to punch and redeem cards. Adversary wins if more punches redeemed than given.

  17. First Attempt Idea: server raises group element to secret power for each punch

  18. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q

  19. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1

  20. First Attempt Client Server Issue Setup p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1 Redeem Verify sk^n Accept iff 1. p n = p 0 p 0 ,p n 2. p 0 not redeemed before

  21. First Attempt Client Server Neither private Issue Setup nor sound! p 0 ← R G sk ← R Z q Punch Punch p i sk p i+1 ← p i p i+1 Redeem Verify sk^n Accept iff 1. p n = p 0 p 0 ,p n 2. p 0 not redeemed before

  22. Adding Privacy Idea: client masks punch card before sending to server

  23. Adding Privacy Idea: client masks punch card before sending to server Client Server Punch Punch m ← R Z q m p i ’ ← p i p i ’ p’ i+1 ← (p’ i ) sk p’ i+1 p i+1 ← (p’ i+1 ) m^-1

  24. Adding Privacy Idea: client masks punch card before sending to server Client Server Punch Punch m ← R Z q m p i ’ ← p i p i ’ p’ i+1 ← (p’ i ) sk p’ i+1 Only semihonest security! p i+1 ← (p’ i+1 ) m^-1

  25. Malicious Privacy Malicious attack: server raises one punch card to a different power

  26. Malicious Privacy Malicious attack: server raises one punch card to a different power Defense: Server provides proof that it raised card to the same power each time

  27. Malicious Privacy Malicious attack: server raises one punch card to a different power Defense: Server provides proof that it raised card to the same power each time Modify server setup to include pk = g sk Use Chaum-Pedersen Proof: Given g, pk, p , prove knowledge of sk s.t. pk=g sk , p’=p sk

  28. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before

  29. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2.

  30. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1

  31. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1 4. Malicious client sends p 1 , p n+1 Server checks p n+1 = (p 1 ) sk^(n+1) , p 1 not redeemed before, redeems n points 5.

  32. Adding Soundness Current redeem process: client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before Attack: 1. Malicious client sends p 0 ,p n Server checks p n = (p 0 ) sk^n , p 0 not redeemed before, redeems n points 2. 3. Malicious client gets another punch on p n , acquires p n+1 4. Malicious client sends p 1 , p n+1 Server checks p n+1 = (p 1 ) sk^(n+1) , p 1 not redeemed before, redeems n points 5. Client gets n+1 punches, redeems 2n points, breaks soundness

  33. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server

  34. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server Issue Setup id ← R {0,1} ƛ sk ← R Z q pk ← R g sk p 0 ← H(id)

  35. Adding Soundness Idea: client can’t redeem a punch card p 0 unless it knows the preimage of a hash function (modeled as RO) that outputs p 0 Client Server Issue Setup id ← R {0,1} ƛ sk ← R Z q pk ← R g sk p 0 ← H(id) ... ... Verify Redeem id,p n Accept iff 1. p n = H(id) sk^n 2. id not redeemed before

  36. Proving Soundness Proof in Algebraic Group Model (most prior work proven in more restrictive GGM) Adversaries in the AGM must accompany each group element they send with a representation of that group element in terms of previously seen elements In this model, DDH-style assumptions are equivalent to discrete log

  37. Proving Soundness Proof in Algebraic Group Model (most prior work proven in more restrictive GGM) Adversaries in the AGM must accompany each group element they send with a representation of that group element in terms of previously seen elements In this model, DDH-style assumptions are equivalent to discrete log Proof relies on hardness of d -discrete log assumption: given g, g x , g x^2 , g x^d , find x .

  38. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1.

  39. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x

  40. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary)

  41. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary) 4. To punch a card, look at algebraic representation of punch card and replace each X i with X i+1 .

  42. Proving Soundness Let d- dlog group elements be X 0 =g, X 1 = g x , …, X d =g x^d 1. 2. Set the server secret to be the d -dlog solution x Program RO so that every hash output is of the form g r where the soundness 3. challenger knows r ← R Z q (but output still looks random to the adversary) 4. To punch a card, look at algebraic representation of punch card and replace each X i with X i+1 . 5. Soundness adversary who wins the soundness game produces a punch card r , which gives the challenger 2 whose representation does not include X n representations of X n . It can use this to break discrete log.

  43. Implementation Java (Android) wrapper around Rust implementation Main construction implemented using curve25519-dalek Evaluated on Pixel 1 (client) and recent Thinkpad laptop with i5 processor (server)

Recommend

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide

Motivation Dramatic increase in digital data Privacy-Preserving Data Mining World Wide Web Growing Privacy Concerns Rakesh Agrawal Ramakrishnan Srikant A Surveys of web users IBM Almaden Research Center 17%

369 views • 8 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Introduction Graphics cards can render a lot, and fast But never as much or as fast as

Introduction Graphics cards can render a lot, and fast But never as much or as fast as

10/3/2012 Introduction Graphics cards can render a lot, and fast But never as much or as fast as wed like! Updating the game world can involve a lot of Scene Management objects Consider Dragonfly doing collision detection

375 views • 3 slides
BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith Suresh CrIS Lab, IISc https://www.csa.iisc.ac.in/~cris Outline q Secure Multi-party Computation (MPC) q MPC for small number of parties (3PC) q Our

2.46k views • 53 slides
AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and

AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and

AN EXTENSIBLE AND PRIVACY- PRESERVING MOBILE ID Michael Hlzl, MSc Institute of Networks and Security, JKU Linz IKT Sicherheitskonferenz 2017 26. September 2017, Villach Digital Identity: State of the Art OpenID: some (large) providers,

1.17k views • 18 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh Dinh, Ee-Chien Chang, Beng Chin Ooi School of Computing National University of Singapore PETS 2017 Privacy-Preserving Computation with Trusted

477 views • 34 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes Ben-Gurion University, Israel This talk presents joint work with Boris Rozenberg Talk Outline Motivation for Privacy-Preserving Distributed Data

1.48k views • 68 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My experience with biometrics and privacy Academic background on privacy Gradiants goal: transfer of knowledge to industry We bring state of

193 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph

On the Theory and Practice of Privacy-Preserving Bayesian Data Analysis James Foulds,* Joseph Geumlek,* Max Welling, + Kamalika Chaudhuri* + University of Amsterdam *University of California, San Diego Overview Bayesian Privacy-preserving

878 views • 75 slides
Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch

Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch

Fast Simulation of Calorimeter Punch-Through Particles in ATLAS A Status Report Elmar Ritsch (University of Innsbruck) Andreas Salzburger (CERN) Emmerich Kneringer (University of Innsbruck) September 9, 2010 Elmar Ritsch (Innsbruck) Fast

305 views • 17 slides
Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security

Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security

Motivation Two-Cloud Setting PP k NN Classification Conclusion and Future Research Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security Yousef M. Elmehdwi Department of Mathematics and Computer

919 views • 19 slides
DIMACS/PORTIA Workshop on Privacy Preserving Data Mining Data Mining & Information Privacy:

DIMACS/PORTIA Workshop on Privacy Preserving Data Mining Data Mining & Information Privacy:

DIMACS/PORTIA Workshop on Privacy Preserving Data Mining Data Mining & Information Privacy: New Problems and the Search for Solutions March 15 th , 2004 Tal Zarsky The Information Society Project, Yale Law School Introduction: Various

273 views • 25 slides
Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath,

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath,

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann , Christopher Piosecny University of Hamburg (Germany) 1 Agenda Missing Privacy in DNS Characteristics of DNS Traffic

559 views • 24 slides
Privacy-preserving KYC on Ethereum Introduction A decentralized KYC-compliant identity Alex

Privacy-preserving KYC on Ethereum Introduction A decentralized KYC-compliant identity Alex

Privacy-preserving KYC on Ethereum Biryukov, Khovratovich, Tikhomirov Privacy-preserving KYC on Ethereum Introduction A decentralized KYC-compliant identity Alex Biryukov, Dmitry Khovratovich, Sergei Tikhomirov Conclusion and future work

828 views • 20 slides
P 4 PCN: Privacy-Preserving Path Probing for Payment Channel Networks Ruozhou Yu, Assistant

P 4 PCN: Privacy-Preserving Path Probing for Payment Channel Networks Ruozhou Yu, Assistant

P 4 PCN: Privacy-Preserving Path Probing for Ruozhou Yu , Yinxin Wan, Vishnu Teja Kilari, Guoliang Xue, Jian Tang, Dejun Yang Payment Channel Networks P 4 PCN: Privacy-Preserving Path Probing for Payment Channel Networks Ruozhou Yu, Assistant

197 views • 5 slides
Privacy-Preserving Publish/Subscribe: Efficient Protocols in a

Privacy-Preserving Publish/Subscribe: Efficient Protocols in a

Privacy-Preserving Publish/Subscribe: Efficient Protocols in a Distributed Model Giovanni Di Crescenzo 1 Brian Coan 1 John Schultz 3 Simon Tsang 1 Rebecca N.

338 views • 14 slides
DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM International Workshop on Data Privacy Management 2013 Georg Neugebauer 1 , Lucas Brutschy 1 , Ulrike Meyer 1 and Susanne Wetzel 2 UMIC LuFG IT-Security,

212 views • 17 slides
Privacy-Preserving Statistical Data Analysis on Federated Databases Dan Bogdanov Liina Kamm

Privacy-Preserving Statistical Data Analysis on Federated Databases Dan Bogdanov Liina Kamm

Privacy-Preserving Statistical Data Analysis on Federated Databases Dan Bogdanov Liina Kamm Sven Laur Pille Pruulmann-Vengerfeldt Riivo Talviste Jan Willemson Annual Privacy Forum Athens, Greece May 20, 2014 UaESMC Problem Statement

429 views • 17 slides

More recommend