49 research outputs found
PPS: Privacy-preserving statistics using RFID tags
As RFID applications are entering our daily life, many new
security and privacy challenges arise. However, current research
in RFID security focuses mainly on simple authentication
and privacy-preserving identication. In this paper,
we discuss the possibility of widening the scope of RFID
security and privacy by introducing a new application scenario.
The suggested application consists of computing statistics
on private properties of individuals stored in RFID tags.
The main requirement is to compute global statistics while
preserving the privacy of individual readings. PPS assures
the privacy of properties stored in each tag through the combination
of homomorphic encryption and aggregation at the
readers. Re-encryption is used to prevent tracking of users.
The readers scan tags and forward the aggregate of their
encrypted readings to the back-end server. The back-end
server then decrypts the aggregates it receives and updates
the global statistics accordingly. PPS is provably privacypreserving.
Moreover, tags can be very simple since they are
not required to perform any kind of computation, but only
to store data
Forward Integrity and Crash Recovery for Secure Logs
Logging is a key mechanism in the security of computer
systems. Beyond supporting important forward security properties, it
is critical that logging withstands both failures and intentional
tampering to prevent subtle attacks leaving the system in an
inconsistent state with inconclusive evidence. We propose new
techniques combining forward integrity with crash recovery for
secure log data storage. As the support of forward integrity and
online nature of logging prevent the use of conventional coding, we propose and analyze a coding scheme resolving these unique design
constraints. Specifically, our coding enables forward integrity,
online encoding, and most importantly a constant number of
operations per encoding. It adds a new log item by XORing it to
forward-securely selected cells of a table. If up to a certain
threshold of cells is modified by the adversary, or lost due to a
crash, we still guarantee recovery of all stored log items. The
main advantage of the coding scheme is its efficiency and
compatibility with forward integrity. A key contribution of the
paper is the use of spectral graph theory techniques to prove that
is constant in the number of all log items ever stored and
small in practice, e.g., . Moreover, we prove that to cope
with up to lost log items, storage expansion is
asymptotically constant in and small in practice. For , the
total size of the table is only more than the simple
concatenation of all items. We instantiate our scheme into an
abstract data structure which allows to either detect adversarial
modifications to log items or treat modifications like data loss in
a system crash. The data structure can recover lost log items,
thereby effectively reverting adversarial modifications
Oblivious Substring Search with Updates
We are the first to address the problem of efficient oblivious substring search over encrypted data supporting updates. Our two new protocols SA-ORAM and ST-ORAM obliviously search for substrings in an outsourced set of n encrypted strings. Both protocols are efficient, requiring communication complexity that is only poly-logarithmic in n. Compared to a straightforward solution for substring search using recent “oblivious data structures” [30], we demonstrate that our tailored solutions improve communication complexity by a factor of logn. The idea behind SA-ORAM and ST-ORAM is to employ a new, hierarchical ORAM tree structure that takes advantage of data dependency and optimizes the size of ORAM blocks and tree height. Based on oblivious suffix arrays, SA-ORAM targets efficiency, yet does not allow updates to the outsourced set of strings. ST-ORAM, based on oblivious suffix trees, allows updates at the additional communications cost of a factor of loglogn. We implement and benchmark SA-ORAM to show its feasibility for practical deployments: even for huge datasets of 2^40 strings, an oblivious substring search can be performed with only hundreds of KBytes communication cost
Mixed-Technique Multi-Party Computations Composed of Two-Party Computations
Protocols for secure multi-party computation are commonly composed
of different sub-protocols, combining techniques such as homomorphic
encryption, secret or Boolean sharing, and garbled circuits. In
this paper, we design a new class of multi-party computation
protocols which themselves are composed out of two-party protocols.
We integrate both types of compositions, compositions of fully
homomorphic encryption and garbled circuits with compositions of
multi-party protocols from two-party protocols. As a result, we can
construct communication-efficient protocols for special problems.
Furthermore, we show how to efficiently ensure the security of
composed protocols against malicious adversaries by proving in
zero-knowledge that conversions between individual techniques are
correct. To demonstrate the usefulness of this approach, we give an
example scheme for private set analytics, i.e., private set
disjointness. This scheme enjoys lower communication complexity
than a solution based on generic multi-party computation and lower
computation cost than fully homomorphic encryption. So, our design
is more suitable for deployments in wide-area networks, such as the
Internet, with many participants or problems with circuits of
moderate or high multiplicative depth
Secure Logging with Crash Tolerance
Forward-secure logging protects old log entries in a log file against an adversary compromising the log device. However, we show that previous work on forward-secure logging is prone to crash-attacks where the adversary removes log entries and then crashes the log device. As the state of the log after a crash-attack is indistinguishable from the state after a real crash, e.g., power failure, the adversary can hide attack traces. We present SLiC, a new logging protocol that achieves forward-security against crash-attacks. Our main idea is to decouple the time of a log event with the position of its resulting log entry in the log file. Each event is encrypted and written to a pseudo-random position in the log file. Consequently, the adversary can only remove random log events, but not specific ones. Yet, during forensic analysis, the verifier can replay pseudo-random positions. This allows to distinguish a real crash (last events missing) from a crash-attack (random events missing). Besides a formal analysis, we also present an evaluation of SLiC as a syslog server to indicate its practicality
Private Collaborative Data Cleaning via Non-Equi PSI
We introduce and investigate the privacy-preserving version of collaborative data cleaning. With collaborative data cleaning, two parties want to reconcile their data sets to filter out badly classified, misclassified data items. In the privacy-preserving (private) version of data cleaning, the additional security goal is that parties should only learn their misclassified data items, but nothing else about the other party\u27s data set. The problem of private data cleaning is essentially a variation of private set intersection (PSI), and one could employ recent circuit-PSI techniques to compute misclassifications with privacy. However, we design, analyze, and implement three new protocols tailored to the specifics of private data cleaning that significantly outperform a circuit-PSI-based approach. With the first protocol, we exploit the idea that a small additional leakage (the size of the intersection of data items) allows for runtime and communication improvements of more than one order of magnitude over circuit-PSI. The other two protocols convert the problem of finding a mismatch in data classifications into finding a match, and then follow the standard technique of using oblivious pseudo-random functions (OPRF) for computing PSI. Depending on the number of data classes, this leads to either total runtime or communication improvements of up to two orders of magnitude over circuit-PSI
Strain: A Secure Auction for Blockchains
We present Strain, a new auction protocol running on top of
blockchains and guaranteeing bid confidentiality against
fully-malicious parties. As our goal is efficiency and low
blockchain latency, we abstain from using traditional, highly
interactive MPC primitives such as secret shares. We focus on a
slightly weaker adversary model than MPC which allows Strain to
achieve constant latency in both the number
of parties and the bid length. The main idea behind Strain is a new
maliciously-secure two-party comparison mechanism executed between
any pair of bids in parallel. Using zero-knowledge proofs, Strain
broadcasts the outcome of comparisons on the blockchain in a way
that all parties can verify each outcome. Strain\u27s latency is not
only asymptotically optimal, but also efficient in practice,
requiring a total of just 4 blocks of the underlying blockchain. Strain provides typical auction
security requirements such as non-retractable bids against
fully-malicious adversaries
Constant Communication ORAM with Small Blocksize
There have been several attempts recently at using homomorphic encryption to increase the efficiency of Oblivious RAM protocols. One of the most successful has been Onion ORAM, which achieves O(1) communication overhead with polylogarithmic server computation. However, it has two drawbacks. It requires a large block size of B = Omega(log^6 N) with large constants. Moreover, while it only needs polylogarithmic computation complexity, that computation consists mostly of expensive homomorphic multiplications. In this work, we address these problems and reduce the required block size to
Omega(log^4 N). We remove most of the homomorphic multiplications while maintaining O(1) communication complexity. Our idea is to replace their homomorphic eviction routine with a new, much cheaper permute-and-merge eviction which eliminates homomorphic multiplications and maintains the same level of security. In turn, this removes the need for layered encryption that Onion ORAM relies on and reduces both the minimum block size and server computation