1 / 24

ZQL a cryptographic compiler for processing private data

ZQL a cryptographic compiler for processing private data. George Danezis Cédric Fournet Markulf Kohlweiss Zhengqin Luo & Alfredo Rial. CraigMu’s review, Feb’12. Data Privacy. Privacy at odds with big data produced, processed, and stored Private data?

moses
Download Presentation

ZQL a cryptographic compiler for processing private data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ZQLa cryptographiccompiler for processing private data George DanezisCédric Fournet Markulf KohlweissZhengqin Luo& Alfredo Rial CraigMu’s review, Feb’12

  2. Data Privacy • Privacy at odds with big dataproduced, processed, and stored • Private data? • Personal, medical, financial, legal… • A controversial trust issue • Show-stopper when deploying new technology • High potential for negative press • Strong EU regulations • Wanted: generic tools forprivacy-friendly data processing(as in dolphin-friendly tuna)

  3. Example 1:Smart Metering

  4. Privacy-Preserving Smart Metering Utility Provider Smart Meter variable policy & rates certified readings(private data) price to pay + crypto evidence User, payingher monthly bill Only the monthly fee need to be sent back to the utility(not the detailed meter readings)

  5. Example 2: Pay-how-you-driveinsurance

  6. Example 2: Pay-how-you-driveinsurance

  7. Example 2: Pay-how-you-driveinsurance (…)

  8. Pay-how-you-driveinsurance • Only the premium needs to be communicated to the insurance company certified pricing policy Insurance company certified location, speed and distance(private data) fee to pay + crypto evidence User, payingher insurance fee

  9. Many similar problems • Integrityfor the verifier • Only the correct pricecan be proved • Privacy for the user • Concealing meter readings • Concealing locations, speed and distance (Partly) private user data Public pricing policy Conflicting goals:

  10. So far, ad hoc cryptographic solutions • Bespoke privacy-preserving protocolsusing a mix of cryptographic mechanisms • Linear policies using homomorphic commitments • Cumulative policies using zero-knowledge proofs on CL-signatures • Penalty-based policies (Pay-how-you-drive) ? • Also many protocols for anonymous credentials, e-cash, e-voting • These protocols are available today,but they hard to design, implement, and deploy • We cannot involve cryptographersand security expertseach time we change the query or revise the service policy!

  11. Goal: private data processing agreement ona data query certified public data • SELECT * • FROM … • WHERE … Reliable Data Providers Service, or Verifierin need ofvalid results query results+ cryptoevidence certifiedprivate data Client, or Proverin control of her data • a high-level language for querying data • an optimizing, verifying query compiler • selectscryptographic constructions • generates code for different platforms • verifies its security before deployment

  12. Integrity and Privacy (Ideal) Trusted Third Party • SELECT * • FROM … • WHERE … “Ok.” Reliable Data Providers Service, or Verifierin need ofvalid results Client, or Proverin control of her data

  13. ZQL: a language for querying private data • SQL [Structured Query Language, 1970—]:a fine declarative domain-specific languagefor querying relational DBs • ZQL [Zero-Knowledge Query Language]: a subset of SQL extended for cryptographic processing • privacy annotations • random sampling • hash, sign,… • big numbers for keys, group elements, exponents, … • The SQL theory carries over to ZQL, despite unusual data: • Useful algebraic properties • Efficient evaluation plans and representations (e.g. indexing)

  14. Compiler Architecture • data privacyspecification • T1: … query expressed in SQL • Q(T1…Tn) queries expressedin SQL+crypto We generate a queryfor each participant,with matching I/Os ZQL compiler • Qverify • Tsign1 • Qprove F# generator C generator We emitcode for each participant • Qv.c • Qv.fs • T1.c • T1.fs • ZQL.fs • Qp.c • Qp.fs • crypto.fs referencehigh-level code in F# fast, portablelow-level code in C runtime libraries

  15. Sample SQL query for Smart Metering The source query is: • Bill := • SELECT • time, • cost = reading * rate • FROM • Meter|><|Policy • WHERE • time in 1/1..31/1/2011 • fee := SUM costFROM Bill Consider billing with a variable-ratelinear policy

  16. Inside ZQL:Compiling the metering query public rates public signed data secret data • Open := SELECTtime, reading, opening = RNG() FROMMeter • Commit:= SELECT time, commit = g^reading * h^openingFROMOpen • (2) the client now computestwo sums instead of one • (1) the meter generatesand signs commitments • (3) the utility checks them against the signed commitments • payment := • SUMreading * rate • FROMOpen |><|Policy • proof := • SUMopening * rate • FROM Open |><| Policy • g^payment * h^proof • =?= • PRODcommit ^ rateFROMCommit |><|Policy • g^payment * h^proof • = g^(SUM (reading * rate)) * h^(SUM (opening * rate)) • =PROD (g^reading* h^opening)^rate • = PROD commit^rate

  17. Inside ZQL:Compiling pay-how-you-drive (outline) This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use • let Over=SELECT over =speed- max • FROM GPS |><|SpeedLimit • let total= • SUMpointsFROMOver|><|Penalty • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total

  18. Inside ZQL:Compiling pay-how-you-drive (outline) This query joins tables on secret columns: we must prove that the join includes rows from the policy tableswithout revealing which rows we actually use For each row in a join, the prover generates a zero-knowledge proof of knowledgeof a matching signed row in the policy table • let Over=SELECT over =speed- max • FROM GPS |><|SpeedLimit • let total= • SUMpointsFROMOver|><|Penalty • let payment = SUMmileage * rate FROM GPS |><|PolicyWHEREpoints = total

  19. Expressiveness & Performance • Linear overheadin the number of secrets Linear: 128 bytes/rowprove 300,000 row/S check 90,000 row/S Non-Linear: 6586 bytes/row prove 87 row/S check 41 row/S • Performance dominatedby bignum multiplications: • We rely on recent extensionsof core crypto algorithms(thanks to XCG) • When operating on secrets,wesupport a fragment of SQL • Linear expressions • Polynomials expressions • Table lookups • Inequalities • Current limitation: The shape of intermediatetables must be public • Fresh cryptography:vector commitments for implementing privateintermediate tables

  20. Security? • T1: … • Q(T1…Tn) ZQL compiler F# generator • Qv.fs • T1.fs • Qp.fs • Our compiler automaticallygeneratecomplex protocolimplementations • Hard to test or review • How can the user tell whetherher privacy is preserved? • Our compiler then calls independent, automatedtools to verify that theseimplementationsare secure • Privacy: the service learns nothing more than the query result • Integrity: the user can build evidence only for the correct result

  21. Security Verification (2003—) • We develop a cryptographic verification kitfor new protocol implementations [with A.D. Gordon, K. Bhargavan] • Tools: ProVerif, FS2PV, FS2CV, F7, F*… • Mostly for F#, with experiments for C and C# • We automatically verify large implementationsagainst precise cryptographic assumptions • Probabilistic security: “no secret information flows to the adversary” • Computational security: “except with a negligible probability, no adversary can…” • Verification case studies: • TLS 1.2 Internet Standard [with MSR-INRIA]; web services security • DKM for cloud data [with T. Acar, D.Shumow] deployed on MS datacenters • TPM2 [with P. England, D. Wooten, F. Dupressoir, and RISE] shipping with Win8

  22. query expressed in SQL Towards a certifying ZQL Compiler • T1: … • Q(T1…Tn) We generate proof goalsand type annotations to keep track of query evaluations ZQL compiler F7 generator F# generator • ZQL.fs7 • Qv.fs • T1.fs • Qv.fs7 • T1.fs7 • Crypto.fs7 • Qp.fs • Qp.fs7 typed specification in F7 reference implementation in F# We use F7to automatically prove that implementations conform with their specifications F7 typing We get either a compile-time error (bug)or strong integrity & privacy theorems

  23. ZQL: Privacy-Friendly Data Processing • With ZQL, clients process their own private data & services still get correct results • Programmers specify their SQL queries & privacy goals;we compile them into zero-knowledge protocols • The security of fresh crypto implementationscan be automatically verified (at compile-time)under standard security assumptions

More Related