- The document discusses privacy-preserving digital infrastructures and presents several approaches to enabling anonymous key agreement between users and networks/service providers to preserve privacy in mobile communication and payments. - It outlines protocols using public key encryption, Diffie-Hellman key exchange, and signatures to anonymously establish encryption keys while preventing malicious parties from tracing users. - The research aims to make these systems seamless for users while achieving a balance between strong privacy and practical efficiency and usability.

1. Privacy-preserving seamless digital
infrastructures
– why, what, how and when
Kristian Gjøsteen
Department of Mathematical Sciences
VERDIKT conference, April 26, 2012
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

2. 2
Contents
Why?
What?
How?
When?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

3. 3
Privacy-Preserving Seamless Digital
Infrastructures
Funded by VERDIKT from 2008 to 2011.
One PhD student and one post.doc.
Department of Mathematical Sciences and Department of
Telematics at NTNU.
The cryptography group at Aarhus University, Denmark.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

4. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

5. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

6. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
— Eavesdropping on a GSM network.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

7. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
— Eavesdropping on a GSM network.
— HP stole the phone records of HP board members and
journalists.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

8. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
— Eavesdropping on a GSM network.
— HP stole the phone records of HP board members and
journalists.
— Bank employees used celebrity bank account transcripts as
entertainment.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

9. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
— Eavesdropping on a GSM network.
— HP stole the phone records of HP board members and
journalists.
— Bank employees used celebrity bank account transcripts as
entertainment.
— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

10. 4
Recent Privacy Compromises
— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.
— Eavesdropping on a GSM network.
— HP stole the phone records of HP board members and
journalists.
— Bank employees used celebrity bank account transcripts as
entertainment.
— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.
— Deutsche Telecom used their mobile phone network to track
journalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

11. 5
A Solution?
Often, the problem is insecurely stored data. The obvious solution
is to stop storing the data.
Unfortunately, the EU data retention directive says that if the data is
generated, it must be stored. Storing data securely is expensive.
It would anyway not prevent Deutsche Telecom from attacking their
users.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

12. 6
Seamless
People want privacy.
People are not prepared to pay for privacy.
— How much privacy is achievable without increasing user-visible
complexity?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

13. 7
Preserving Privacy
Privacy for mobile communication is:
— Nobody knows what I am saying.
— Nobody knows who I am talking to.
— Nobody knows where I am.
Today’s systems efficiently provide little or no privacy.
There are cryptographic schemes that provide almost perfect
privacy, but they are expensive and complicated.
— We need a trade-off.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

14. 8
Fundamental Idea
A fundamental idea in cryptographic research is to distribute
computation and knowledge among several parties.
Done correctly we can tolerate if some – but not all – parties are
malicious.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

15. 9
Anonymous Key Agreement
Anonymous key agreement may be a solution.
We have: One or more networks of radio towers, willing to talk to
phones near them.
Idea: Every time a user moves, he anonymously agrees on a key
with a new radio tower. Once the key is established, it can be used
for secure communication.
Note: If the user is communicating while moving, traffic analysis
alone will usually allow an attacker to trace the user.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

16. 10
Anonymous Key Agreement I
Signatures, group signatures and Diffie-Hellman.
User Network
gx
g y , sign(. . . )
groupsign(. . . )
But: § Group signatures are expensive. § Anyone with a radio can
force the network to do a lot of work. § Where do we send the bill
for data usage?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

17. 11
Today’s Mobile Communications
We have three separate mobile networks in Norway.
We have ∞ virtual operators and resellers.
We can reuse the business model! The GSM networks no longer
sell network access directly. Instead, they sell capacity to virtual
operators (service providers in our terminology).
— The network provides connectivity.
— The service provider sends the bill.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

18. 12
Anonymous Key Agreement II
Public key encryption.
User Network S. Prov.
S, c = {U, n1 }ekS c
c k , c = {N, n1 , n2 , k }kUS
{k , n2 , . . . }k n2
ok
But: § A malicious service provider can do anything at the time of
key agreement. § Anyone with a radio can force a service provider
to do a lot of work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

19. 13
Anonymous Key Agreement III
Public key encryption and Diffie-Hellman.
User Network S. Prov.
S, g x , c = {U, n1 }ekS c
c , gy k , c = {N, n1 , n2 , k }kUS
{n2 , . . . }k n2
ok
But: § A malicious service provider can do anything at the time of
key agreement. § Anyone with a radio can force a service provider
to do a lot of work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

20. 14
Anonymous Key Agreement IV
Public key encryption, Diffie-Hellman and a signature.
User Network S. Prov.
S, g x , c = {U, n1 }ekS c
c , gy k , c = {N, n1 , n2 , k }kUS
{n2 , . . . }k n2
{. . . }skN ok
But: § Anyone with a radio can force a service provider to do a lot
of work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

21. 15
Anonymous Key Agreement V
Identity tokens, Diffie-Hellman and a signature.
User Network S. Prov.
S, T = {U}kS , g x T , n1
c c = {T , N, n1 , n2 }kUS
n1
g y , {. . . }skN
{n2 , . . . }g xy n2
ok
But: § Identity tokens allow a tracing DoS-attack.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

22. 16
Anonymous Key Agreement VI
Identity tokens.
User Network S. Prov.
S, T = {U}kS T , n1
c k, c = {T , N, n1 , n2 , k}kUS
{k , n1 , n2 }k n2
ok
But: § A malicious service provider can do anything at the time of
key agreement. § Identity tokens allow a tracing DoS-attack.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

23. 17
Anonymous So What?
Different key agreement protocols have different security
properties. What happens when you build upon this base?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

24. 18
Tomorrow’s NFC Payment Systems
Privacy for electronic payment is:
— Nobody knows where I am spending my money.
Today, electronic payment methods let the bank know where I
spend my money. Merchants can often tell when I make repeat
purchases.
New mobile phones can use near field communication to talk to a
merchants’ point-of-sale systems.
— NFC payment systems could be made privacy-preserving,
especially if we have a privacy-preserving mobile network.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

25. 19
Anonymous Payment
Blind signatures, privacy-preserving communication and NFC.
Bank User Merchant
pay
request(ch, . . . ) ch
issue signature
ch, signature
The merchant doesn’t know who you are, the bank doesn’t know
where you shop.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

26. 20
Cryptographic Security Proofs
Theoretical work:
— We needed an improved model for cryptographic security
proofs.
— We have studied one approach to machine-verifiable proofs.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

27. 21
E-valg 2011
We have contributed to the design and analysis of the
cryptosystem underlying the 2011 trial of internet voting in Norway.
— This is a seamless digital infrastructure just like the previous
examples. It was deployed and worked very well.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

28. 22
When?
— Not gonna happen.
Our work will not change mobile phone networks or payment
infrastructures. But thanks to our work and E-valg 2011, we know
that it is possible to do better.
There’s no excuse not to do better for new infrastructures.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures