Universally Composable and Privacy-Preserving Audit Logs Using Bulletin Board Anna Kaplan, Zcash Foundation & Technical University of Munich Joint work with Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya (all at DFINITY) Work was conducted while all were at IBM Research Zurich. 1
2 https://pixabay.com/images/search/accounting/
da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 3
User i User j da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 4
User i User j da data id identif ifie ier and da data de details 01.04. 52 € from André 02.04. -59 € to Lea KAPLAN … 0419 Time Ti User 1 Us Us User 2 Us User 3 2/17/2018 data data record session … … 13:06:11 identifier identifier … … … … 5
Ho How to construct such ch a protocol in a go good manner? Modular cryptographic design, e.g. Universal Composability framework by Canetti '01 6
Theor Th eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world 7
Th Theor eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E ~ Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable 8
Theor Th eoretic backgrou ound: Univer ersal Com ompos osability PR PROVING A PR PROTOCOL SECURE (Canetti ‘01) Environment E Environment E ~ Functiona- Protocol π lity F Simula- Adver- tor S sary A Ideal world Real world Proving a protocol secure means bo both wo worlds sh should be be in indis istin inguis ishable Let π and F be ppt protocols. We show that for any ppt adversary A there exists a ppt adversary S s.t. for any ppt environment E we have: EX EXEC EC F , S ,E ,E ≈ EXEC π , A ,E ,E 9
Th Theor eoretic backgrou ound: Univer ersal Com ompos osability CO COMPOSI SITI TION (Ca Canetti ‘01) Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’ Simula- Adver- tor S sary A F‘‘ F‘‘‘ F‘ Ideal world Real world F‘ ~ … ϕ 10
Th Theor eoretic backgrou ound: Univer ersal Com ompos osability GENE GE NERALIZED AND ND EXTEND NDED UC (Canetti et al. ‘07) 7) Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’… Simula- Adver- tor S sary A F‘ F‘ F‘‘‘ ‘ Ideal world Real world F‘ ~ Global … ϕ functio- nality G 11
Defining security 12
Wh What security properties should our system follow? Transaction Record integrity privacy Transaction Auditor authentication authorization Transaction Auditing timestamping correctness Transaction uniqueness 13
Ho How is this related to the security properties? Transaction privacy Transaction authentication Transaction timestamping Transaction uniqueness Record integrity Auditor authorization Auditing correctness 14
Providing a protocol 15
Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ timestamp sk i , pk i sk j , pk j blockchain U i U j re record id id, , da data id id, , da data 16
Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ timestamp , , g g a a t t , sk i , pk i d sk j , pk j blockchain i d r o c U i g g e U j a a r t t a a t t a a d d record id re id, , da data id id, , da data ta tag = H(data id) ski RE RECORD ORD data ta da tag = Ĥ (data ║ Ĥ(data id) ski ) 17
Bu Building a scheme – ve very simplified! two cryptographic hash functions: H and Ĥ timestamp , , g g ta tag, da a a t t , data ta sk i , pk i d sk j , pk j blockchain i timestamp, record id, d r tag? o c U i g g e ta tag, da U j a a r t t a a t t data ta a a d d re record id id, , da data id id, , da data tag tag = H(data id) ski ta RE RECORD ORD da data ta tag = Ĥ (data ║ Ĥ(data id) ski ) AUDIT AU tag = H(data id) ski data tag‘ = Ĥ (data ║ u) u = Ĥ(data id) ski tag, u, π, data Only one entry for tag? On π = NIZK{(ski): tag = H(data id) ski Λ u = Is Is t the co corresponding da data ta tag‘ correct? t? Is Is t the c corresponding t timestamp c correct? Ĥ(data id) ski Λ pk i = g ski } 18
Building a scheme – ve Bu very simplified! two cryptographic hash functions: H and Ĥ F ro1 F ro2 F crs F bb timestamp F ca , , g g ta tag, da a a t t , data ta sk i , pk i d sk j , pk j blockchain i timestamp, record id, d r tag? o c U i g g e ta tag, da U j a a r t t a a t t data ta a a d d re record id id, , da data id id, , da data tag tag = H(data id) ski ta RECORD RE ORD data ta da tag = Ĥ (data ║ Ĥ(data id) ski ) AUDIT AU tag = H(data id) ski data tag‘ = Ĥ (data ║ u) u = Ĥ(data id) ski tag, u, π, data On Only one entry for tag? π = NIZK{(ski): tag = H(data id) ski Λ u = Is t Is the co corresponding da data ta tag‘ correct? t? F smt Is Is t the c corresponding t timestamp c correct? Ĥ(data id) ski Λ pk i = g ski } G refClock 19
Bu Building a scheme mo more forma mally F ro2 F ro1 F ca F crs F smt F bb G refClock 20
How to prove that ideal and real world are indistinguishable 21
Proving security Pr Environment E Environment E ~ Functiona- Protocol lity F π ϕ / F’… Simula- Adver- tor S sary A F‘‘ F‘ G G Ideal world Real world F‘ ~ … ϕ 22
Pr Proving security Environment E Environment E Game 1 Game 2 Protocol Simulator S Adver- sary A F F G Real world Ideal world Environment E Environment E Game 3 Game 4 Func- Func- tionality F S tionality F Simu lator S G Ideal world Ideal world 23
Ou Our result Protocol π audit EUC-realizes ideal functionality F laudit with static corruptions and a leakage function l: {0,1}* → {0,1}* in the (G refClock , F dcrs , F ca , F lsmt , F bb )-hybrid model, provided that NIZK is a zero- knowledge and simulation-sound proof of knowledge, and that the DL-assumption holds in G. 24
Implementation and further research 25
Im Implementation As a feature for Identity Mixer in Hyperledger Fabric on ClientSDK in Java with the use of Apache Milagro Crypto Library (AMCL) Instantiating NIZKs: Schnorr’s protocol with Fiat-Shamir heuristic on elliptic curve BN256 (Schnorr ‘91, Fiat and Shamir ‘86, Barreto and Naehrig ‘05) Te Test on 2 core Intel machine with i5-7200U 7200U 2.5G 2. 5GHz CPU and 8G 8GB RAM ti time in milliseconds Full Identity mixer benchmark test on signing and auditing 229.6 Identity mixer benchmark test on signing 35.5 Identity mixer benchmark test on auditing 10.4 for AMCL: https://github.com/miracl/amcl 26
Co Conclusion and further problems Switching to global strict observable programmable random oracle? (Camenisch et al. ’18) Construction without random oracle? Different implementation with Rust, different blockchain or different NIZK? Extending security model with a request by auditor? 27
References Barreto, Paulo SLM, and Michael Naehrig. "Pairing-friendly elliptic curves of prime order." International Workshop on Selected Areas in Cryptography . Springer, Berlin, Heidelberg, 2005. Camenisch, Jan, et al. "The Wonderful World of Global Random Oracles." Annual International Conference on the Theory and Applications of Cryptographic Techniques . Springer, Cham, 2018. Canetti, Ran. "Universally composable security: A new paradigm for cryptographic protocols." Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on . IEEE, 2001. Canetti, Ran, et al. "Universally composable security with global setup." Theory of Cryptography Conference . Springer, Berlin, Heidelberg, 2007. Fiat, Amos, and Adi Shamir. "How to prove yourself: Practical solutions to identification and signature problems." Advances in Cryptology—CRYPTO’86 . Springer, Berlin, Heidelberg, 1986. Apache Milagro Crypto Library: https://github.com/miracl/amcl Schnorr, Claus-Peter. "Efficient signature generation by smart cards." Journal of cryptology 4.3 (1991): 161-174. 28
Motivation: Auditing and universal composability Defining security Providing a protocol How to prove – a sketch Implementation and further research 29
Thank you very much and come talk to me, here or @Zcon1! Anna Kaplan (anna.kaplan@tum.de) Zcash Foundation & Technical University of Munich 30 30
Recommend
More recommend