Zql a cryptographic compiler for processing private data
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

ZQL a cryptographic compiler for processing private data PowerPoint PPT Presentation


  • 49 Views
  • Uploaded on
  • Presentation posted in: General

ZQL a cryptographic compiler for processing private data. George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial. CraigMu’s review, Feb’12. Data Privacy. Privacy at odds with big data produced, processed, and stored Private data?

Download Presentation

ZQL a cryptographic compiler for processing private data

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Zql a cryptographic compiler for processing private data

ZQLa cryptographiccompiler for processing private data

George DanezisCédric Fournet

Markulf KohlweissZhengqin Luo& Alfredo Rial

CraigMu’s review, Feb’12


Data privacy

Data Privacy

  • Privacy at odds with big dataproduced, processed, and stored

  • Private data?

    • Personal, medical, financial, legal…

  • A controversial trust issue

    • Show-stopper when deploying new technology

    • High potential for negative press

    • Strong EU regulations

  • Wanted: generic tools forprivacy-friendly data processing(as in dolphin-friendly tuna)


Example 1 smart metering

Example 1:Smart Metering


Privacy preserving smart metering

Privacy-Preserving Smart Metering

Utility Provider

Smart Meter

variable policy & rates

certified readings(private data)

price to pay

+ crypto evidence

User, payingher monthly bill

Only the monthly fee need to be sent back to the utility(not the detailed meter readings)


Example 2 pay how you drive insurance

Example 2: Pay-how-you-driveinsurance


Example 2 pay how you drive insurance1

Example 2: Pay-how-you-driveinsurance


Example 2 pay how you drive insurance2

Example 2: Pay-how-you-driveinsurance

(…)


Pay how you drive insurance

Pay-how-you-driveinsurance

  • Only the premium needs to be communicated to the insurance company

certified pricing policy

Insurance company

certified location,

speed and distance(private data)

fee to pay

+ crypto evidence

User, payingher insurance fee


Many similar problems

Many similar problems

  • Integrityfor the verifier

    • Only the correct pricecan be proved

  • Privacy for the user

  • Concealing meter readings

  • Concealing locations, speed and distance

(Partly) private user data

Public pricing policy

Conflicting goals:


So far ad hoc cryptographic solutions

So far, ad hoc cryptographic solutions

  • Bespoke privacy-preserving protocolsusing a mix of cryptographic mechanisms

    • Linear policies using homomorphic commitments

    • Cumulative policies using zero-knowledge proofs on CL-signatures

    • Penalty-based policies (Pay-how-you-drive) ?

  • Also many protocols for anonymous credentials, e-cash, e-voting

  • These protocols are available today,but they hard to design, implement, and deploy

    • We cannot involve cryptographersand security expertseach time we change the query or revise the service policy!


Goal private data processing

Goal: private data processing

agreement ona data query

certified public data

  • SELECT *

  • FROM …

  • WHERE …

Reliable

Data Providers

Service, or Verifierin need ofvalid results

query results+ cryptoevidence

certifiedprivate data

Client, or Proverin control of her data

  • a high-level language for querying data

  • an optimizing, verifying query compiler

    • selectscryptographic constructions

    • generates code for different platforms

    • verifies its security before deployment


Integrity and privacy ideal

Integrity and Privacy (Ideal)

Trusted Third Party

  • SELECT *

  • FROM …

  • WHERE …

“Ok.”

Reliable

Data Providers

Service, or Verifierin need ofvalid results

Client, or Proverin control of her data


Zql a language for querying private data

ZQL: a language for querying private data

  • SQL [Structured Query Language, 1970—]:a fine declarative domain-specific languagefor querying relational DBs

  • ZQL [Zero-Knowledge Query Language]: a subset of SQL extended for cryptographic processing

    • privacy annotations

    • random sampling

    • hash, sign,…

    • big numbers for keys, group elements, exponents, …

  • The SQL theory carries over to ZQL, despite unusual data:

    • Useful algebraic properties

    • Efficient evaluation plans and representations (e.g. indexing)


Compiler architecture

Compiler Architecture

  • data privacyspecification

  • T1: …

query expressed in SQL

  • Q(T1…Tn)

queries expressedin SQL+crypto

We generate a queryfor each participant,with matching I/Os

ZQL compiler

  • Qverify

  • Tsign1

  • Qprove

F# generator

C generator

We emitcode for each participant

  • Qv.c

  • Qv.fs

  • T1.c

  • T1.fs

  • ZQL.fs

  • Qp.c

  • Qp.fs

  • crypto.fs

referencehigh-level code in F#

fast, portablelow-level code in C

runtime libraries


Sample sql query for smart metering

Sample SQL query for Smart Metering

The source query is:

  • Bill :=

  • SELECT

  • time,

  • cost = reading * rate

  • FROM

  • Meter|><|Policy

  • WHERE

  • time in 1/1..31/1/2011

  • fee := SUM costFROM Bill

Consider billing

with a variable-ratelinear policy


Inside zql compiling the metering query

Inside ZQL:Compiling the metering query

public rates

public signed data

secret data

  • Open := SELECTtime, reading, opening = RNG() FROMMeter

  • Commit:= SELECT time, commit = g^reading * h^openingFROMOpen

  • (2) the client now computestwo sums instead of one

  • (1) the meter generatesand signs commitments

  • (3) the utility checks them against the signed commitments

  • payment :=

  • SUMreading * rate

  • FROMOpen |><|Policy

  • proof :=

  • SUMopening * rate

  • FROM Open |><| Policy

  • g^payment * h^proof

  • =?=

  • PRODcommit ^ rateFROMCommit |><|Policy

  • g^payment * h^proof

  • =g^(SUM (reading * rate)) * h^(SUM (opening * rate))

  • =PROD (g^reading* h^opening)^rate

  • = PROD commit^rate


Inside zql compiling pay how you drive outline

Inside ZQL:Compiling pay-how-you-drive (outline)

This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use

  • let Over=SELECT over =speed- max

  • FROM GPS |><|SpeedLimit

  • let total=

  • SUMpointsFROMOver|><|Penalty

  • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total


Zql a cryptographic compiler for processing private data

Inside ZQL:Compiling pay-how-you-drive (outline)

This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use

For each row in a join, the prover generates a zero-knowledge proof of knowledgeof a matching signed row in the policy table

  • let Over=SELECT over =speed- max

  • FROM GPS |><|SpeedLimit

  • let total=

  • SUMpointsFROMOver|><|Penalty

  • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total


Expressiveness performance

Expressiveness & Performance

  • Linear overheadin the number of secrets

    Linear:

    128 bytes/rowprove 300,000 row/Scheck 90,000 row/S

    Non-Linear:6586 bytes/rowprove87 row/Scheck41 row/S

  • Performance dominatedby bignum multiplications:

    • We rely on recent extensionsof core crypto algorithms(thanks to XCG)

  • When operating on secrets,wesupport a fragment of SQL

    • Linear expressions

    • Polynomials expressions

    • Table lookups

    • Inequalities

  • Current limitation: The shape of intermediatetables must be public

  • Fresh cryptography:vector commitments for implementing privateintermediate tables


Security

Security?

  • T1: …

  • Q(T1…Tn)

ZQL compiler

F# generator

  • Qv.fs

  • T1.fs

  • Qp.fs

  • Our compiler automaticallygeneratecomplex protocolimplementations

    • Hard to test or review

    • How can the user tell whetherher privacy is preserved?

  • Our compiler then calls independent, automatedtools to verify that theseimplementationsare secure

    • Privacy: the service learns nothing more than the query result

    • Integrity: the user can build evidence only for the correct result


Security verification 2003

Security Verification (2003—)

  • We develop a cryptographic verification kitfor new protocol implementations [with A.D. Gordon, K. Bhargavan]

    • Tools: ProVerif, FS2PV, FS2CV, F7, F*…

    • Mostly for F#, with experiments for C and C#

  • We automatically verify large implementationsagainst precise cryptographic assumptions

    • Probabilistic security: “no secret information flows to the adversary”

    • Computational security: “except with a negligible probability, no adversary can…”

  • Verification case studies:

    • TLS 1.2 Internet Standard [with MSR-INRIA]; web services security

    • DKM for cloud data [with T. Acar, D.Shumow] deployed on MS datacenters

    • TPM2 [with P. England, D. Wooten, F. Dupressoir, and RISE] shipping with Win8


Towards a certifying zql compiler

query expressed in SQL

Towards a certifying ZQL Compiler

  • T1: …

  • Q(T1…Tn)

We generate proof goalsand type annotations to keep track of query evaluations

ZQL compiler

F7 generator

F# generator

  • ZQL.fs7

  • Qv.fs

  • T1.fs

  • Qv.fs7

  • T1.fs7

  • Crypto.fs7

  • Qp.fs

  • Qp.fs7

typed specification in F7

reference implementation in F#

We use F7to automatically prove that implementations conform with their specifications

F7 typing

We get either a compile-time error (bug)or strong integrity & privacy theorems


Zql privacy friendly data processing

ZQL: Privacy-Friendly Data Processing

  • With ZQL, clients process their own private data & services still get correct results

  • Programmers specify their SQL queries & privacy goals;we compile them into zero-knowledge protocols

  • The security of fresh crypto implementationscan be automatically verified (at compile-time)under standard security assumptions


  • Login