Alfredo Rial

Blind and Anonymous Identity-Based Encryption and Authorised Private Searches on Public Key Encrypted Data

Searchable encryption schemes provide an important mechanism to cryptographically protect data while keeping it available to be searched and accessed. In a common approach for their construction, the encrypting entity chooses one or several keywords that describe the content of each encrypted record of data. To perform a search, a user obtains a trapdoor for a keyword of her interest and uses this trapdoor to find all the data described by this keyword. We present a searchable encryption scheme that allows users to privately search by keywords on encrypted data in a public key setting and decrypt the search results. To this end, we define and implement two primitives: public key encryption with oblivious keyword search (PEOKS) and committed blind anonymous identity-based encryption (IBE). PEOKS is an extension of public key encryption with keyword search (PEKS) in which users can obtain trapdoors from the secret key holder without revealing the keywords. Furthermore, we define committed blind trapdoor extraction, which facilitates the definition of authorisation policies to describe which trapdoor a particular user can request. We construct a PEOKS scheme by using our other primitive, which we believe to be the first blind and anonymous IBE scheme. We apply our PEOKS scheme to build a public key encrypted database that permits authorised private searches, i.e., neither the keywords nor the search results are revealed.

Universally Composable Adaptive Priced Oblivious Transfer

An adaptive k -out-of-N Priced Oblivious Transfer (POT) scheme is a two-party protocol between a vendor and a buyer. The vendor sells a set of messages m 1 , . . . ,m N with prices p 1 , . . . , p N . In each transfer phase i = 1, . . . , k , the buyer chooses a selection value *** i *** {1, . . . ,N } and interacts with the vendor to buy message m *** i in such a way that the vendor does not learn *** i and the buyer does not get any information about the other messages. We present a POT scheme secure under pairing-related assumptions in the standard model. Our scheme is universally composable and thus, unlike previous results, preserves security when it is executed with multiple protocol instances that run concurrently in an adversarially controlled way. Furthermore, after an initialization phase of complexity O (N ), each transfer phase is optimal in terms of rounds of communication and it has constant computational and communication cost. To achieve these properties, we design the first efficient non-interactive proof of knowledge that a value lies in a given interval we are aware of.

A Provably Secure Anonymous Buyer–Seller Watermarking Protocol

Buyer-seller watermarking (BSW) protocols allow copyright protection of digital content. The protocol is anonymous when the identity of buyers is not revealed if they do not release pirated copies. Existing BSW protocols are not provided with a formal analysis of their security properties. We employ the ideal-world/real-world paradigm to propose a formal security definition for copyright protection protocols, and we analyze an anonymous BSW protocol and prove that it fulfills our definition. Additionally, we implement the protocol and measure its efficiency.

A Privacy-Preserving Buyer–Seller Watermarking Protocol Based on Priced Oblivious Transfer

Buyer-seller watermarking protocols allow copyright protection of digital goods. To protect privacy, some of those protocols provide buyers with anonymity. However, anonymous e-commerce protocols pose several disadvantages, like hindering customer management or requiring anonymous payment mechanisms. Additionally, no existing buyer-seller watermarking protocol provides fair exchange. We propose a novel approach for the design of privacy-preserving buyer-seller watermarking protocols. In our approach, the seller authenticates buyers but does not learn which items are purchased. Since buyers are not anonymous, customer management is eased and currently deployed methods of payment can be utilized. We define an ideal functionality for privacy-preserving copyright protection protocols. To realize our functionality, a protocol must ensure that buyers pay the right price without disclosing the purchased item, and that sellers are able to identify buyers that released pirated copies. We construct a protocol based on priced oblivious transfer and on existing techniques for asymmetric watermark embedding. Furthermore, we implement and evaluate the efficiency of our protocol, and we explain how to extend it in order to achieve optimistic fair exchange.

Differentially private billing with rebates

A number of established and novel business models are based on fine grained billing, including pay-per-view, mobile messaging, voice calls, payas-you-drive insurance, smart metering for utility provision, private computing clouds and hosted services. These models apply fine-grained tariffs dependent on time-of-use or place of-use to readings to compute a bill. We extend previously proposed billing protocols to strengthen their privacy in two key ways. First, we study the monetary amount a customer should add to their bill in order to provably hide their activities, within the differential privacy framework. Second, we propose a cryptographic protocol for oblivious billing that ensures any additional expenditure, aimed at protecting privacy, can be tracked and reclaimed in the future, thus minimising its cost. Our proposals can be used together or separately and are backed by provable guarantees of security.

Optimistic fair priced oblivious transfer

Priced oblivious transfer (POT) is a two-party protocol between a vendor and a buyer in which the buyer purchases digital goods without the vendor learning what is bought. Although privacy properties are guaranteed, current schemes do not offer fair exchange. A malicious vendor can, e.g., prevent the buyer from retrieving the goods after receiving the payment, and a malicious buyer can also accuse an honest vendor of misbehavior without the vendor being able to prove this untrue. In order to address these problems, we define the concept of optimistic fair priced oblivious transfer and propose a generic construction that extends secure POT schemes to realize this functionality. Our construction, based on verifiably encrypted signatures, employs a neutral adjudicator that is only involved in case of dispute, and shows that disputes can be resolved without the buyer losing her privacy, i.e., the buyer does not need to disclose which digital goods she is interested in. We show that our construction can be instantiated with an existing universally composable POT scheme, and furthermore we propose a novel full-simulation secure POT scheme that is much more efficient.

Private client-side profiling with random forests and hidden markov models

Nowadays, service providers gather fine-grained data about users to deliver personalized services, for example, through the use of third-party cookies or social network profiles. This poses a threat both to privacy, since the amount of information obtained is excessive for the purpose of customization, and authenticity, because those methods employed to gather data can be blocked and fooled. In this paper we propose privacy-preserving profiling techniques, in which users perform the profiling task locally, reveal to service providers the result and prove its correctness. We address how our approach applies to tasks of both classification and pattern recognition. For the former, we describe client-side profiling based on random forests, where users, based on certified input data representing their activity, resolve a random forest and reveal the classification result to service providers. For the latter, we show how to match a stream of user activity to a regular expression, or how to assign it a probability using a hidden Markov model. Our techniques, based on the use of zero-knowledge proofs, can be composed with other protocols as part of the certification of a larger computation.

Private Mobile Pay-TV From Priced Oblivious Transfer

In pay-TV, a service provider offers TV programs and channels to users. To ensure that only authorized users gain access, conditional access systems (CAS) have been proposed. In existing CAS, users disclose to the service provider the TV programs and channels they purchase. We propose a pay-per-view and a pay-per-channel CAS that protect users’ privacy. Our pay-per-view CAS employs priced oblivious transfer (POT) to allow a user to purchase TV programs without disclosing which programs were bought to the service provider. In our pay-per-channel CAS, POT is employed together with broadcast attribute-based encryption to achieve low storage overhead, collusion resistance, efficient revocation, and broadcast efficiency. We propose a new POT scheme and show its feasibility by implementing and testing our CAS on a representative mobile platform.

UC Commitments for Modular Protocol Design and Applications to Revocation and Attribute Tokens

Complex cryptographic protocols are often designed from simple cryptographic primitives, such as signature schemes, encryption schemes, verifiable random functions, and zero-knowledge proofs, by bridging between them with commitments to some of their inputs and outputs. Unfortunately, the known universally composable UC functionalities for commitments and the cryptographic primitives mentioned above do not allow such constructions of higher-level protocols as hybrid protocols. Therefore, protocol designers typically resort to primitives with property-based definitions, often resulting in complex monolithic security proofs that are prone to mistakes and hard to verify. We address this gap by presenting a UC functionality for non-interactive commitments that enables modular constructions of complex protocols within the UC framework. We also show how the new functionality can be used to construct hybrid protocols that combine different UC functionalities and use commitments to ensure that the same inputs are provided to different functionalities. We further provide UC functionalities for attribute tokens and revocation that can be used as building blocks together with our UC commitments. As an example of building a complex system from these new UC building blocks, we provide a construction a hybrid protocol of anonymous attribute tokens with revocation. Unlike existing accumulator-based schemes, our scheme allows one to accumulate several revocation lists into a single commitment value and to hide the revocation status of a user from other users and verifiers.

Privacy-preserving smart metering revisited

Privacy-preserving billing protocols are useful in settings where a meter measures user consumption of some service, such as smart metering of utility consumption, pay-as-you-drive insurance and electronic toll collection. In such settings, service providers apply fine-grained tariff policies that require meters to provide a detailed account of user consumption. The protocols allow the user to pay to the service provider without revealing the user’s consumption measurements. Our contribution is twofold. First, we propose a general model where a meter can output meter readings to multiple users, and where a user receives meter readings from multiple meters. Unlike previous schemes, our model accommodates a wider variety of smart metering applications. Second, we describe a protocol based on polynomial commitments that improves the efficiency of previous protocols for tariff policies that employ splines to compute the price due.