Privacy-Enhanced Event Scheduling - ...dud.inf.tu-dresden.de/~ben/kellermann09_privacy-enhanced_event... · acultyF of Computer Science Institute of Systems Architecture, Chair of

Faculty of Computer Science Institute of Systems Architecture, Chair of Privacy and Data Security

Privacy-Enhanced Event Scheduling

http://dudle.inf.tu-dresden.de

[email protected]

D19E 04A8 8895 020A 8DF60092 3501 1A32 491A 3D9C

Berlin, December 29, 2009

PrimeLife is a research projectfunded by the European Commis-

sion's 7th Framework Programme

Event Scheduling

Benjamin Kellermann Privacy-Enhanced Event Scheduling slide 2 of 31

Privacy ProblemsDirect Inference

Will my husband vote for

the date of our

wedding anniversary?


Privacy ProblemsDirect Inference

Will my husband vote for

the date of our

wedding anniversary?


Privacy ProblemsIndirect Inference

The availability pattern of user bunny23 looks

suspiciously like the one of my employee John Doe!


Privacy ProblemsIndirect Inference

The availability pattern of user bunny23 looks

suspiciously like the one of my employee John Doe!


Table of Contents

Problem Statement

Scheme

Extensions

Evaluation

Demo

Conclusion and Outlook

GFDL Hajotthu


Requirements

• Untrusted Server

• Privacy

• Veri�ability

• Low Communication

Complexity

• Low Computational

Complexity


Requirements


• Privacy

• Veri�ability


Complexity


Complexity


Requirements


• Privacy

• Veri�ability


Complexity


Complexity


E-Voting vs. Event Scheduling

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

scales

scales

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

scales

one vote per column



Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

scales

scales

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

scales

one vote per column



Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

scales

scales

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

scales

one vote per column



Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

Vote

Candidate #1

Candidate #2 8

.

.

.

Candidate #10

scales

scales

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

Date

#1

Date

#2

. . . Date

#320

Yes 8 8

No 8

scales

one vote per column


Scheme

Problem Statement

Scheme

Extensions

Evaluation

Demo



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b

+ ka,c mb

− ka,b

+ kb,c

mc − ka,c − kb,c

ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c

D. Chaum, �The dining cryptographers problem: Unconditional sender and recipient untraceability,� Journal ofCryptology, vol. 1, no. 1, pp. 65�75, Jan. 1988


Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b

+ ka,c mb

− ka,b

+ kb,c


ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b

+ ka,c mb

− ka,b

+ kb,c


ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b + ka,c

mb

− ka,b + kb,c

mc

− ka,c − kb,c

ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma + ka,b + ka,c mb − ka,b + kb,c


ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma + ka,b + ka,c mb − ka,b + kb,c


ma + ka,b + ka,c+mb − ka,b + kb,c+mc − ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b + ka,c

mb

− ka,b + kb,c

mc

− ka,c − kb,c

ma + ka,b + ka,c+mb − ka,b + kb,c+mc − ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b + ka,c

mb

− ka,b + kb,c

mc

− ka,c − kb,c

ma

+ ka,b

+ ka,c+mb

− ka,b

+ kb,c+mc − ka,c − kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b + ka,c

mb

− ka,b + kb,c

mc

− ka,c − kb,c

ma

+ ka,b

+ ka,c+mb

− ka,b + kb,c

+mc − ka,c

− kb,c



Superposed Sending

Alice Bob

Carol

ka,b

ka,c k b,

c

ma

+ ka,b + ka,c

mb

− ka,b + kb,c

mc

− ka,c − kb,c

ma

+ ka,b + ka,c

+mb

− ka,b + kb,c

+mc

− ka,c − kb,c



Poll Initialization

Alice Bob Carol Server

T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key

exchange~ki,j . . . key vector

~ka,b ~kb,a Alice Bob

~ka,b~ka,b

ka,b,t1

ka,b,t|T |

.

.

.

−~ka,b

−ka,b,t1

−ka,b,t|T |

.

.

.


Poll Initialization


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key



~ka,b~ka,b

ka,b,t1

ka,b,t|T |

.

.

.

−~ka,b

−ka,b,t1

−ka,b,t|T |

.

.

.


Poll Initialization


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key



~ka,b~ka,b

ka,b,t1

ka,b,t|T |

.

.

.

−~ka,b

−ka,b,t1

−ka,b,t|T |

.

.

.


Poll Initialization


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key



~ka,b~ka,b

ka,b,t1

ka,b,t|T |

.

.

.

−~ka,b

−ka,b,t1

−ka,b,t|T |

.

.

.


Poll Initialization


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key



~ka,b~ka,b

ka,b,t1

ka,b,t|T |

.

.

.

−~ka,b

−ka,b,t1

−ka,b,t|T |

.

.

.


Casting of Votes


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db

~dc~d . . . encrypted votes

~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )

da,t = va,t + ka,b,t + ka,c,t

va,t ∈ {0, 1}


Casting of Votes


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db


~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}


Casting of Votes


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db


~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}


Casting of Votes


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db


~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}


Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db


~da,~db~da,~dc~db,~dc E-mail

noti�cation

~da

~db,~dc

da,t1 , . . . , da,t|T |db,t1 , . . . , db,t|T |dc,t1 , . . . , dc,t|T |

Choose timeslot with highest sum!


Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc




Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc


va,t1 + ka,b,t1 + ka,c,t1

+

vb,t1 − ka,b,t1 + kb,c,t1

+

vc,t1 − ka,c,t1 − kb,c,t1



Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc


va,t1 + ka,b,t1 + ka,c,t1

+ vb,t1 − ka,b,t1 + kb,c,t1+ vc,t1 − ka,c,t1 − kb,c,t1



Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc


va,t1

+ ka,b,t1 + ka,c,t1

+ vb,t1

− ka,b,t1 + kb,c,t1

+ vc,t1

− ka,c,t1 − kb,c,t1



Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc


∑vi,t1

. . .∑

vi,t|T |



Result Publication


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~db,~dc


∑vi,t1 . . .

∑vi,t|T |



Trying to Cheat


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}

va,t = −1? va,t = 2?


Trying to Cheat


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}

va,t = −1? va,t = 2?


Trying to Cheat


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}

va,t = −1? va,t = 2?


Trying to Cheat


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation

~da

~da = (da,t1 , da,t2 , . . . , da,t|T | )


va,t ∈ {0, 1}

va,t = −1? va,t = 2?


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 1 0∑1 2 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 1 0∑1 2 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 1 0∑1 2 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory −1−1 1 −1∑0 1 2 −1

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0−1 1 0∑1 1 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0−1 1 0∑1 1 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 1 0 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0−1 1 0∑1 1 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?

∑1 2 1 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0−1 1 0∑1 1 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0

∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0

∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0

∑≥ 0?∑

1 2 1 0


Avoid −1 Cheaters

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0−1 1 0∑1 1 2 0

Alice 0 0 0 0

Bob 0 1 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 0 1 0 0

Bob 0 0 0 0

Mallory 0 ? 0 0∑≥ 0?

Alice 1 0 0 0

Bob 0 0 1 0

Mallory 0 ? 1 0∑≥ 0?∑

1 2 2 0


Avoid +2 Cheaters

normal poll

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 2 0∑1 2 3 0

inverted poll

T1 T2 T3 T4

Alice 0

0 1

Bob 1

0 0

Mallory 1

1 −1

∑2

1 0

∑3

3 3


Avoid +2 Cheaters

normal poll

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 2 0∑1 2 3 0

inverted poll

T1 T2 T3 T4

Alice 0

0 1

Bob 1

0 0

Mallory 1

1 −1

∑2

1 0

∑3

3 3


Avoid +2 Cheaters

normal poll

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 2 0∑1 2 3 0

inverted poll

T1 T2 T3 T4

Alice 0

0 1

Bob 1

0 0

Mallory 1

1 −1

∑2

1 0

∑3

3 3


Avoid +2 Cheaters

normal poll

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 2 0∑1 2 3 0

inverted poll

T1 T2 T3 T4

Alice 0 0

1

Bob 1 0

0

Mallory 1 1

−1

∑2 1

0

∑3 3

3


Avoid +2 Cheaters

normal poll

T1 T2 T3 T4

Alice 1 1 0 0

Bob 0 1 1 0

Mallory 0 0 2 0∑1 2 3 0

inverted poll

T1 T2 T3 T4

Alice 0 0 1

Bob 1 0 0

Mallory 1 1 −1∑2 1 0

∑3 3 3


Extensions

Problem Statement

Scheme

Extensions

Evaluation

Demo


n-lange.de


Simplifying the Key Exchange


T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation




T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation




T, PT, PT, P E-mail

noti�cation

T . . . time slots

P . . . voters

~ka,c ~kc,a

~ka,b ~kb,a

~kb,c ~kc,b

key


~da~db



noti�cation


Intermezzo � Dif�e�Hellman Key Agreement

secret s

ecret

Alice Bob

public

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r

W. Dif�e and M. E. Hellman, �New Directions in Cryptography,� IEEE Transactions on Information Theory, vol.IT-22, no. 6, pp. 644�654, 1976.



secret s

ecret

Alice Bob

public

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




secret s

ecret

Alice Bob

public

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r



Intermezzo � Dif�e�Hellman Key Agreementsecret s

ecret

Alice Bob

public

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




ecret

Alice Bobpublic

g, q

chooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




ecret

Alice Bobpublic

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




ecret

Alice Bobpublic

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




ecret

Alice Bobpublic

g, qchooses ra

gra mod q

= xa

xrab

= gra·rb mod q

chooses rb

grb mod q

= xb

xrba

= gra·rb mod q

xa xb

Discrete

Logarithm

assumption

x = gr mod q

public

hard to �nd

r




Dif�e�Hellman

Alice Bob

Carol

key exchange

~ka,b

~ka,c ~k b,

c

Server

gra grb

grc

grb , grc gra , grc

gra , grb

gra·rb , gra·rc grb·ra , grb·rc

grc ·ra , grc ·rb

gra·rb grb·ra~ka,b


Simplifying the Key ExchangeDif�e�Hellman

Alice Bob

Carol

registration

~ka,b

~ka,c ~k b,

c

Server

gra grb

grc

grb , grc gra , grc

gra , grb


grc ·ra , grc ·rb




Alice Bob

Carol

poll initialization

~ka,b

~ka,c ~k b,

c

Server

gra grb

grc

grb , grc gra , grc

gra , grb


grc ·ra , grc ·rb




Alice Bob

Carol

poll initialization

~ka,b

~ka,c ~k b,

cServer

gra grb

grc

grb , grc gra , grc

gra , grb


grc ·ra , grc ·rb




gra·rbpseudorandom

number generator

ka,b,t

,tbl

~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

tuuid tbl



gra·rbpseudorandom

number generator

ka,b,t

,tbl

~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

tuuid tbl



gra·rbpseudorandom

number generator

ka,b,t

,tbl~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

tuuid tbl



gra·rbpseudorandom

number generator

ka,b,t

,tbl~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

t

uuid tbl



gra·rbpseudorandom

number generator

ka,b,t

,tbl~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

tuuid

tbl



gra·rbpseudorandom

number generator

ka,b,t,tbl

~ka,b

ka,b,t1

.

.

.

ka,b,t|T |

tuuid tbl


Dynamic Joining


Dynamic Joining


Dynamic Joining


Dynamic Joining


Dynamic Leaving


Dynamic Leaving


Dynamic Leaving


Evaluation

Problem Statement

Scheme

Extensions

Evaluation

Demo


Simon Day


Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting

← result publication

Date

#1

. . . Date

#240

Yes 8

No 8

scales(|P| − 1 asym. op-erations per voter)


Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting


Date

#1

. . . Date

#240

Yes 8

No 8



Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting


Date

#1

. . . Date

#240

Yes 8

No 8



Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting


Date

#1

. . . Date

#240

Yes 8

No 8



Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting


Date

#1

. . . Date

#240

Yes 8

No 8



Evaluation

1 10 00 00 00 10 01 00 0

split

0 0 1 1

invert

← initialization

→ vote casting


Date

#1

. . . Date

#240

Yes 8

No 8



Demo

Problem Statement

Scheme

Extensions

Evaluation

Demo



Registration/Login


Poll Initialization


Vote Casting


Vote Casting


Dynamic Leaving


Result Publication



• novel scheme for privacy-enhanced

event scheduling

à scales in number of time slots

à no central trust entity

• partially implemented as Web2.0

application

• implement missing features

• validate performance

• more features desirable


Faculty of Computer Science Institute of Systems Architecture, Chair of Privacy and Data Security

Thank you for your attention!

http://dudle.inf.tu-dresden.de

[email protected]

D19E 04A8 8895 020A 8DF60092 3501 1A32 491A 3D9C

Berlin, December 29, 2009

PrimeLife is a research projectfunded by the European Commis-

sion's 7th Framework Programme

Related

• one speci�c publication

• mixes

• blind signatures

• homomorphic encryption

• distributed constraint satisfaction/optimization problem

T. Herlea et al., �On Securely Scheduling a Meeting,� in Trusted Information � The New Decade Challenge(Proc. of IFIP SEC), M. Dupuy and P. Paradinas, Eds., 2001, pp. 183�198.


Computational Complexity

server

no expensive computation needed

client

1 discrete exponentiation (DH)

|P| − 1 discrete exponentiations

1 digital signature

|T | · (|P| − 1) hashes

|T | · (|P| − 1) symmetric decryptions


More Features

• privacy-invasive and

privacy-enhanced together

• prede�ned decision rules

• threshold scheme

• dynamic insertion/deletion of

time slots

• updating/revoking votes

• let voters prove that they signaled

availability for more than a certain

minimum number of time slots


Privacy-Invasive and Privacy-Enhanced


Complex Decision Rules


Documents

Privacy-Enhanced Event Scheduling - ...dud.inf.tu-dresden.de/~ben/kellermann09_privacy-enhanced_event... · acultyF of Computer Science Institute of Systems Architecture, Chair of