112 research outputs found
SoK: Privacy-Enhancing Technologies in Finance
Recent years have seen the emergence of practical advanced cryptographic tools that not only protect data privacy and authenticity, but also allow for jointly processing data from different institutions without sacrificing privacy. The ability to do so has enabled implementations a number of traditional and decentralized financial applications that would have required sacrificing privacy or trusting a third party. The main catalyst of this revolution was the advent of decentralized cryptocurrencies that use public ledgers to register financial transactions, which must be verifiable by any third party, while keeping sensitive data private. Zero Knowledge (ZK) proofs rose to prominence as a solution to this challenge, allowing for the owner of sensitive data (e.g. the identities of users involved in an operation) to convince a third party verifier that a certain operation has been correctly executed without revealing said data. It quickly became clear that performing arbitrary computation on private data from multiple sources by means of secure Multiparty Computation (MPC) and related techniques allows for more powerful financial applications, also in traditional finance.
In this SoK, we categorize the main traditional and decentralized financial applications that can benefit from state-of-the-art Privacy-Enhancing Technologies (PETs) and identify design patterns commonly used when applying PETs in the context of these applications. In particular, we consider the following classes of applications: 1. Identity Management, KYC & AML; and 2. Markets & Settlement; 3. Legal; and 4. Digital Asset Custody. We examine how ZK proofs, MPC and related PETs have been used to tackle the main security challenges in each of these applications. Moreover, we provide an assessment of the technological readiness of each PET in the context of different financial applications according to the availability of: theoretical feasibility results, preliminary benchmarks (in scientific papers) or benchmarks achieving real-world performance (in commercially deployed solutions). Finally, we propose future applications of PETs as Fintech solutions to currently unsolved issues. While we systematize financial applications of PETs at large, we focus mainly on those applications that require privacy preserving computation on data from multiple parties
Challenges in Cybersecurity and Privacy - the European Research Landscape
Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects
Challenges in Cybersecurity and Privacy - the European Research Landscape
Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects
To Pass or Not to Pass: Privacy-Preserving Physical Access Control
Anonymous or attribute-based credential (ABC) systems are a versatile and important cryptographic tool to achieve strong access control guarantees while simultaneously respecting the privacy of individuals. A major problem in the practical adoption of ABCs is their transferability, i.e., such credentials can easily be duplicated, shared or lent. One way to counter this problem is to tie ABCs to biometric features of the credential holder and to require biometric verification on every use. While this is certainly not a viable solution for all ABC use-cases, there are relevant and timely use-cases, such as vaccination credentials as widely deployed during the COVID-19 pandemic. In such settings, ABCs that are tied to biometrics, which we call Biometric-Bound Attribute-Based Credentials (bb-ABC), allow to implement scalable and privacy-friendly systems to control physical access to (critical) infrastructure and facilities.
While there are some previous works on bb-ABC in the literature, the state of affairs is not satisfactory. Firstly, in existing work the problem is treated in a very abstract way when it comes to the actual type of biometrics. Thus, it does not provide concrete solutions which allow for assessing their practicality when deployed in a real-world setting. Secondly, there is no formal model which rigorously captures bb-ABC systems and their security requirements, making it hard to assess their security guarantees. With this work we overcome these limitations and provide a rigorous formalization of bb-ABC systems. Moreover, we introduce two generic constructions which offer different trade-offs between efficiency and trust assumptions, and provide benchmarks from a concrete instantiation of such a system using facial biometrics. The latter represents a contact-less biometric feature that provides acceptable accuracy and seems particularly suitable to the above use-case
Distributed Cryptographic Protocols
[ES] La confianza es la base de las sociedades modernas. Sin embargo, las relaciones basadas en confianza son difĂciles de establecer y pueden ser explotadas
fácilmente con resultados devastadores. En esta tesis exploramos el uso
de protocolos criptográficos distribuidos para construir sistemas confiables
donde la confianza se vea reemplazada por garantĂas matemáticas y criptográficas. En estos nuevos sistemas dinámicos, incluso si una de las partes
se comporta de manera deshonesta, la integridad y resiliencia del sistema
están garantizadas, ya que existen mecanismos para superar este tipo de
situaciones. Por lo tanto, hay una transiciĂłn de sistemas basados en la confianza, a esquemas donde esta misma confianza es descentralizada entre un
conjunto de individuos o entidades. Cada miembro de este conjunto puede ser
auditado, y la verificaciĂłn universal asegura que todos los usuarios puedan
calcular el estado final en cada uno de estos métodos, sin comprometer la
privacidad individual de los usuarios.
La mayorĂa de los problemas de colaboraciĂłn a los que nos enfrentamos
como sociedad, pueden reducirse a dos grandes dilemas: el votar una propuesta, o un representante polĂtico, Ăł identificarnos a nosotros mismos como
miembros de un colectivo con derecho de acceso a un recurso o servicio. Por
ello, esta tesis doctoral se centra en los protocolos criptográficos distribuidos
aplicados al voto electrĂłnico y la identificaciĂłn anĂłnima.
Hemos desarrollado tres protocolos para el voto electrónico que complementan y mejoran a los métodos más tradicionales, y además protegen la
privacidad de los votantes al mismo tiempo que aseguran la integridad del
proceso de voto. En estos sistemas, hemos empleado diferentes mecanismos
criptográficos que proveen, bajo diferentes asunciones, de las propiedades de
seguridad que todo sistema de voto debe tener. Algunos de estos sistemas son
seguros incluso en escenarios pos-cuánticos. También hemos calculado minuciosamente la complejidad temporal de los métodos para demostrar que son
eficientes y factibles de ser implementados. Además, hemos implementado
algunos de estos sistemas, o partes de ellos, y llevado a cabo una detallada
experimentaciĂłn para demostrar el potencial de nuestras contribuciones.
Finalmente, estudiamos en detalle el problema de la identificación y proponemos tres métodos no interactivos y distribuidos que permiten el registro
y acceso anĂłnimo. Estos protocolos son especialmente ligeros y agnĂłsticos
en su implementaciĂłn, lo que permite que puedan ser integrados con mĂşltiples propĂłsitos. Hemos formalizado y demostrado la seguridad de nuestros
protocolos de identificaciĂłn, y hemos realizado una implementaciĂłn completa
de ellos para, una vez más, demostrar la factibilidad y eficiencia de las soluciones propuestas. Bajo este marco teórico de identificación, somos capaces
de asegurar el recurso custodiado, sin que ello suponga una violaciĂłn para el
anonimato de los usuarios.[CA] La confiança Ă©s la base de les societats modernes. No obstant això, les relacions basades en confiança sĂłn difĂcils d’establir i poden ser explotades fĂ cilment amb resultats devastadors. En aquesta tesi explorem l’ús de protocols
criptogrà fics distribuïts per a construir sistemes de confiança on la confiança es veja reemplaçada per garanties matemà tiques i criptogrà fiques. En
aquests nous sistemes dinĂ mics, fins i tot si una de les parts es comporta
de manera deshonesta, la integritat i resiliència del sistema estan garantides,
ja que existeixen mecanismes per a superar aquest tipus de situacions. Per
tant, hi ha una transició de sistemes basats en la confiança, a esquemes on
aquesta acarona confiança és descentralitzada entre un conjunt d’individus o
entitats. Cada membre d’aquest conjunt pot ser auditat, i la verificació universal assegura que tots els usuaris puguen calcular l’estat final en cadascun
d’aquests mètodes, sense comprometre la privacitat individual dels usuaris.
La majoria dels problemes de colĹŻlaboraciĂł als quals ens enfrontem com
a societat, poden reduir-se a dos grans dilemes: el votar una proposta, o un
representant polĂtic, o identificar-nos a nosaltres mateixos com a membres
d’un colůlectiu amb dret d’accés a un recurs o servei. Per això, aquesta tesi
doctoral se centra en els protocols criptogrĂ fics distribuĂŻts aplicats al vot
electrònic i la identificació anònima.
Hem desenvolupat tres protocols per al vot electrònic que complementen
i milloren als mètodes més tradicionals, i a més protegeixen la privacitat
dels votants al mateix temps que asseguren la integritat del procés de vot.
En aquests sistemes, hem emprat diferents mecanismes criptogrĂ fics que
proveeixen, baix diferents assumpcions, de les propietats de seguretat que
tot sistema de vot ha de tindre. Alguns d’aquests sistemes són segurs fins i tot en escenaris post-quà ntics. També hem calculat minuciosament la complexitat temporal dels mètodes per a demostrar que són eficients i factibles
de ser implementats. A més, hem implementats alguns d’aquests sistemes, o
parts d’ells, i dut a terme una detallada experimentació per a demostrar la
potencial de les nostres contribucions.
Finalment, estudiem detalladament el problema de la identificació i proposem tres mètodes no interactius i distribuïts que permeten el registre i
accés anònim. Aquests protocols són especialment lleugers i agnòstics en
la seua implementaciĂł, la qual cosa permet que puguen ser integrats amb
múltiples propòsits. Hem formalitzat i demostrat la seguretat dels nostres
protocols d’identificació, i hem realitzat una implementació completa d’ells
per a, una vegada més, demostrar la factibilitat i eficiència de les solucions
proposades. Sota aquest marc teòric d’identificació, som capaces d’assegurar
el recurs custodiat, sense que això supose una violació per a l’anonimat dels
usuaris.[EN] Trust is the base of modern societies. However, trust is difficult to achieve
and can be exploited easily with devastating results. In this thesis, we explore the use of distributed cryptographic protocols to build reliable systems
where trust can be replaced by cryptographic and mathematical guarantees.
In these adaptive systems, even if one involved party acts dishonestly, the
integrity and robustness of the system can be ensured as there exist mechanisms to overcome these scenarios. Therefore, there is a transition from
systems based in trust, to schemes where trust is distributed between decentralized parties. Individual parties can be audited, and universal verifiability
ensures that any user can compute the final state of these methods, without
compromising individual users’ privacy.
Most collaboration problems we face as societies can be reduced to two
main dilemmas: voting on a proposal or electing political representatives,
or identifying ourselves as valid members of a collective to access a service
or resource. Hence, this doctoral thesis focuses on distributed cryptographic
protocols for electronic voting and anonymous identification.
We have developed three electronic voting schemes that enhance traditional methods, and protect the privacy of electors while ensuring the integrity of the whole election. In these systems, we have employed different
cryptographic mechanisms, that fulfill all the desired security properties of
an electronic voting scheme, under different assumptions. Some of them are
secure even in post-quantum scenarios. We have provided a detailed time-complexity analysis to prove that our proposed methods are efficient and
feasible to implement. We also implemented some voting protocols, or parts
of them, and carried out meticulous experimentation to show the potential of our contributions.
Finally, we study in detail the identification problem and propose three
distributed and non-interactive methods for anonymous registration and access. These three protocols are especially lightweight and application agnostic, making them feasible to be integrated with many purposes. We formally
analyze and demonstrate the security of our identification protocols, and
provide a complete implementation of them to once again show the feasibility and effectiveness of the developed solutions. Using this identification
framework, we can ensure the security of the guarded resource, while also
preserving the anonymity of the users.Larriba Flor, AM. (2023). Distributed Cryptographic Protocols [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19810
Modern Socio-Technical Perspectives on Privacy
This open access book provides researchers and professionals with a foundational understanding of online privacy as well as insight into the socio-technical privacy issues that are most pertinent to modern information systems, covering several modern topics (e.g., privacy in social media, IoT) and underexplored areas (e.g., privacy accessibility, privacy for vulnerable populations, cross-cultural privacy). The book is structured in four parts, which follow after an introduction to privacy on both a technical and social level: Privacy Theory and Methods covers a range of theoretical lenses through which one can view the concept of privacy. The chapters in this part relate to modern privacy phenomena, thus emphasizing its relevance to our digital, networked lives. Next, Domains covers a number of areas in which privacy concerns and implications are particularly salient, including among others social media, healthcare, smart cities, wearable IT, and trackers. The Audiences section then highlights audiences that have traditionally been ignored when creating privacy-preserving experiences: people from other (non-Western) cultures, people with accessibility needs, adolescents, and people who are underrepresented in terms of their race, class, gender or sexual identity, religion or some combination. Finally, the chapters in Moving Forward outline approaches to privacy that move beyond one-size-fits-all solutions, explore ethical considerations, and describe the regulatory landscape that governs privacy through laws and policies. Perhaps even more so than the other chapters in this book, these chapters are forward-looking by using current personalized, ethical and legal approaches as a starting point for re-conceptualizations of privacy to serve the modern technological landscape. The book’s primary goal is to inform IT students, researchers, and professionals about both the fundamentals of online privacy and the issues that are most pertinent to modern information systems. Lecturers or teacherscan assign (parts of) the book for a “professional issues” course. IT professionals may select chapters covering domains and audiences relevant to their field of work, as well as the Moving Forward chapters that cover ethical and legal aspects. Academicswho are interested in studying privacy or privacy-related topics will find a broad introduction in both technical and social aspects
- …