Privacy-preserving blueprints

Privacy-preserving blueprints

发表信息

• 原文链接

作者

• Markulf Kohlweiss
• Anna Lysyanskaya
• An Nguyen

笔记

If everyone were to use anonymous credentials for all access control needs, it would be impossible to trace wrongdoers, by design. This would make legitimate controls, such as tracing illicit trade and terror suspects, impossible to carry out. Here, we propose a privacy-preserving blueprint capability that allows an auditor to publish an encoding $p{k}_A$ of the function $f(x,\cdot )$ for a publicly known function $f$ and a secret input $x$. For example, $x$ may be a secret watchlist, and $f(x,y)$ may return $y$ if $y\in x$. On input her data $y$ and the auditor’s $p{k}_A$, a user can compute an escrow $Z$ such that anyone can verify that $Z$ was computed correctly from the user’s credential attributes, and moreover, the auditor can recover $f(x,y)$ from $Z$. Our contributions are:

• We define secure f-blueprint systems; our definition is designed to provide a modular extension to anonymous credential systems.
• We show that secure f-blueprint systems can be contructed for all functions f from fully homomorphic encryption and NIZK proof systems. This result is of theoretical interest but is not efficient enough for practical use.
• We realize an optimal blueprint system under the DDH assumption in the random-oracle model for the watchlist function.

如果每个人都使用匿名凭证来满足所有访问控制需求，那么根据设计，将无法追踪不法分子。这将使得合法的控制措施，例如追踪非法交易和恐怖嫌疑人，变得无法实施。在这里，我们提出了一种隐私保护的蓝图能力，允许审计员发布一个已编码的 $p{k}_A$，用于一个公开已知的函数 $f$ 和一个秘密输入 $x$。例如，$x$ 可能是一个秘密观察名单，而 $f(x,y)$ 可能在 $y\in x$ 时返回 $y$。用户在输入其数据 $y$ 和审计员的 $p{k}_A$ 后，可以计算出一个托管 $Z$，使得任何人都可以验证 $Z$ 是根据用户的凭证属性正确计算得出的。此外，审计员可以从 $Z$ 中恢复出 $f(x,y)$。我们的贡献包括：

• 我们定义了安全的 f-蓝图系统；我们的定义旨在为匿名凭证系统提供模块化扩展。
• 我们展示了可以为所有函数 f 构建安全的 f-蓝图系统，基于完全同态加密和 NIZK 证明系统。这个结果具有理论意义，但在实际应用中效率不足。
• 我们在随机预言模型下，在 DDH 假设下实现了观察名单函数的最优蓝图系统。