U.S. patent application number 13/775941 was filed with the patent office on 2013-08-29 for privacy-preserving publish-subscribe protocol in a distributed model.
This patent application is currently assigned to APPLIED COMMUNICATIONS SCIENCES. The applicant listed for this patent is Applied Communications Sciences. Invention is credited to Giovanni Di Crescenzo.
Application Number | 20130227273 13/775941 |
Document ID | / |
Family ID | 49004597 |
Filed Date | 2013-08-29 |
United States Patent
Application |
20130227273 |
Kind Code |
A1 |
Di Crescenzo; Giovanni |
August 29, 2013 |
PRIVACY-PRESERVING PUBLISH-SUBSCRIBE PROTOCOL IN A DISTRIBUTED
MODEL
Abstract
A method and system for providing privacy in a publish-subscribe
protocol is provided. A server transmits to a client a public key.
The server receives from the client a pseudonym of an interest
based on a division malleable commitment method applied to the
public key, wherein the pseudonym of the interest functions as a
commitment of the client. The server encrypts an item with a padded
key and encrypting the padded key. The server transmits to the
client, the encrypted item and a pseudonym of a topic associated
with the item based on a modification of the commitment by the
server using a hybrid conditional-oblivious transfer protocol. When
the interest of the client equals the topic associated with the
item, the client retrieves a correct padded key to decrypt the
encrypted data item; otherwise the client retrieves a random key
that is unable to decrypt the encrypted data item.
Inventors: |
Di Crescenzo; Giovanni;
(Madison, NJ) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Applied Communications Sciences; |
|
|
US |
|
|
Assignee: |
APPLIED COMMUNICATIONS
SCIENCES
Basking Ridge
NJ
|
Family ID: |
49004597 |
Appl. No.: |
13/775941 |
Filed: |
February 25, 2013 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
61602260 |
Feb 23, 2012 |
|
|
|
Current U.S.
Class: |
713/151 |
Current CPC
Class: |
G06F 21/602 20130101;
H04L 63/045 20130101; H04L 2209/42 20130101; H04L 2209/50 20130101;
H04L 63/062 20130101; H04L 9/3013 20130101 |
Class at
Publication: |
713/151 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A computer-implemented method for providing privacy in a
publish-subscribe protocol, comprising the steps of: transmitting,
from a server to a client, a public key; receiving, by the server
from the client, a pseudonym of an interest based on a division
malleable commitment method applied to the public key, wherein the
pseudonym of the interest functions as a commitment of the client;
encrypting, by the server, an item with a padded key and encrypting
the padded key; and transmitting, by the server to the client, the
encrypted item and a pseudonym of a topic associated with the item
based on a modification of the commitment by the server using a
hybrid conditional-oblivious transfer protocol.
2. The method of claim 1, wherein when the interest of the client
equals the topic associated with the item, then the client is
configured to retrieve a correct padded key to decrypt the
encrypted data item.
3. The method of claim 1, wherein when the interest of the client
does not equal the topic associated with the item, the client is
configured to retrieve a random key that is unable to decrypt the
encrypted data item.
4. The method of claim 1, further comprising encrypting, by the
server to the client, the encrypted padded key based on a hybrid
conditional oblivious transfer sub-protocol.
5. The method of claim 4, wherein a predicate of the sub-protocol
is further based on an equality predicate.
6. The method of claim 4, wherein the sub-protocol is varied such
that the client publishes the interest pseudonym as a public key
that is accessible by the server.
7. The method of claim 6, wherein the sub-protocol is a distributed
protocol with n participants, where n is at least two, and wherein
the server and the client are two of the at least two
participants.
8. The method of claim 7, wherein, after the n participants publish
respective interest pseudonyms, a participant that is currently a
client becomes a publisher.
9. The method of claim 1, wherein the modification of the
commitment by the server is a commitment of the server to the
interest divided by the topic.
10. The method of claim 1, wherein the public key is the same for
all clients.
11. The method of claim 1, wherein transmitting the pseudonym of
the topic associated with the item based on a modification of the
commitment comprises transmitting a value based on a modification
of the public key and a modification of the commitment of the
server to the interest divided by the topic.
12. The method of claim 1, wherein receiving a pseudonym of an
interest based on the division malleable commitment method
comprises receiving an El-Gamal encryption of the interest.
13. The method of claim 1, further comprising, after transmitting
the public key, receiving the pseudonym, encrypting the item, and
transmitting the encrypted item: obtaining, by the server, a stored
symmetric key; encrypting the item with the padded key and
encrypting the padded key with the stored symmetric key; and
transmitting, by the server to the client, the item encrypted with
the padded key and the padded key encrypted with the stored
symmetric key.
14. The method of claim 1, further comprising, transmitting, by the
client to the server, an add interest or delete interest label.
15. The method of claim 1, wherein the transmitting a public key,
receiving a pseudonym of an interest, encrypting an item, and
transmitting the encrypted item is performed for each of a
plurality of clients when the server is in a push mode and for a
requesting client when the client is in a pull mode.
16. The method of claim 1, further comprising receiving, by the
server, the item with associated topics.
17. A non-transitory computer readable storage medium including
instructions that, when executed by a client, causes the client to:
receive, by a client from a server, a public key; transmit, by the
client to the server, a pseudonym of an interest based on the
division malleable commitment method applied to the public key; and
receive, by the client from the server, an encrypted item and a
pseudonym of a topic associated with the item based on a hybrid
conditional-oblivious transfer protocol, wherein when the interest
of the client equals the topic associated with the item, the client
retrieves a correct padded key to decrypt the encrypted data item
and wherein when the interest of the client does not equal the
topic associated with the item, the client retrieve a random key
that is unable to decrypt the encrypted data item.
18. The non-transitory computer readable storage medium of claim
17, wherein transmitting a pseudonym of an interest based on the
division malleable commitment method comprises transmitting to the
server an El-Gamal encryption of the interest.
19. A computer system, comprising: a memory; a processing device,
coupled to the memory, the processing device to: transmit, from a
server to a client, a public key; receive, by the server from the
client, a pseudonym of an interest based on the division malleable
commitment method applied to the public key, wherein the pseudonym
of the interest functions as a commitment of the client; encrypt,
by the server, an item with a padded key and encrypting the padded
key; and transmit, by the server to the client, the encrypted item
and a pseudonym of a topic associated with the item based on a
modification of the commitment by the server using a hybrid
conditional-oblivious transfer protocol.
20. The system of claim 19, wherein when the interest of the client
equals the topic associated with the item, then the client is
configured to retrieve a correct padded key to decrypt the
encrypted data item.
21. The system of claim 19, wherein when the interest of the client
does not equal the topic associated with the item, the client is
configured to retrieve a random key that is unable to decrypt the
encrypted data item.
22. The system of claim 19, further comprising encrypting, by the
server to the client, the encrypted padded key based on a hybrid
conditional oblivious transfer sub-protocol.
23. The system of claim 19, wherein a predicate of the sub-protocol
is further based on an equality predicate.
24. The system of claim 19, wherein the modification of the
commitment by the server is a commitment of the server to the
interest divided by the topic.
25. The system of claim 19, wherein transmitting the pseudonym of
the topic associated with the item based on a modification of the
commitment comprises transmitting a value based on a modification
of the public key and a modification of the commitment of the
server to the interest divided by the topic.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of U.S. provisional
patent application No. 61/602,260 filed Feb. 23, 2012, the
disclosure of which is incorporated herein by reference in its
entirety.
FIELD OF THE INVENTION
[0002] The present invention relates to publish-subscribe
protocols. More particularly, the present invention relates to a
method and system for providing privacy in a publish-subscribe
protocol.
BACKGROUND OF THE INVENTION
[0003] Publish-subscribe protocols have been employed for the
distribution of streaming data. A common publish-subscribe protocol
is an RSS (Rich Site Summary) feed. An RSS feed is a family of web
feed formats used to publish frequently updated works in a
standardized format. The data transmitted in an RSS feed may
include blog entries, news headlines, audio, and video. RSS feeds
or documents include full or summarized text, plus metadata such as
publishing dates and authorship. RSS feeds can be read using
software called an "RSS reader", "feed reader", or "aggregator",
which can be web-based, desktop-based, or mobile-device-based. The
user subscribes to a feed by entering into the reader a URI of the
feed or by clicking a feed icon in a web browser that initiates the
subscription process. The RSS reader checks the user's subscribed
feeds regularly for new work, downloads any updates that it finds,
and provides a user interface to monitor and read the feeds.
[0004] A user can subscribe to a topic, such as finance, and
receive in an email daily or monthly or weekly messages only in
finance. The user receives RSS feeds only in areas (associated with
the topic) to which they subscribe. The user does not receive of
all documents that are published by one particular publisher.
[0005] An RSS feed is a specific instance of the more general class
of publish-subscribe protocols which employ a publish-subscribe
architectural pattern. Publish-subscribe is a messaging pattern
where senders of messages, called publishers, do not program the
messages to be sent directly to specific receivers, called
subscribers. Instead, published messages are characterized into
classes, without knowledge of what, if any, subscribers there may
be. Similarly, subscribers express interest in one or more classes,
and only receive messages that are of interest, without knowledge
of what, if any, publishers there are.
[0006] More particularly, in a publish-subscribe architecture, a
subscriber can specify interests-cats, dogs, the stock market,
finance, education, etc. A publisher may periodically publish items
(e.g. documents) that may include attached tags, known as topics.
These topics are included in a dictionary of topics. The dictionary
is shared with subscribers. The subscribers may find their
interests in the dictionary. A dictionary is a collection of all
topics that each item may or may not relate to, and is known to all
participants (e.g., subscribers and publishers). Interests are
elements from the dictionary associated with a subscriber. Topics
are elements from the dictionary associated with an item. Items may
be digital documents in any format. If one of the interests of the
subscriber is determined by the publisher to be equal to one of the
topics of the next item to be published by the server, then the
subscriber receives the item once it is published by the publisher.
If no interests match any topics in the dictionary of the
publisher, then the subscriber does not receive the item to be
published.
[0007] A problem often encountered in circumstance where
publish-subscribe protocols are employed is privacy
violations--e.g., privacy with respect to transmitted data and/or
the interests and/or identity of the subscribers. In the examples
below, the clients are not malicious and clouding but are
considered honest but curious.
[0008] For example, in a typical RSS feed, a subscriber reveals
their interests, e.g., finance, and the publisher may view the
interests; thus, the publisher may obtain some information about
the personal choices of the subscriber. As a result, the privacy of
the subscriber may be violated. Other instances of violations of
privacy are more sensitive. For example, from the government's
perspective, there may be sensitive databases that reveal sensitive
material and topics, e.g., an agency may publish documents. One
agency is interested in a certain document; another agency may be
interested in another document. In certain circumstances, without
privacy protections in place, an intruder in one agency may
determine the interests of another agency. In another example, one
or more subscribers is interested in the Facebook stock. As a
result, a publisher or an external intruder may learn that a number
of subscribers are suddenly interested in Facebook stock. Thus,
privacy is an important issue with respect to transmission of
documents employing publish-subscribe protocols.
[0009] While the types of clients described above may be honest but
curious, there are circumstances in which clients may be malicious
and colluding. For example, a malicious client may receive a
document and perform traffic analysis on another client's
communication with, for example, a third party to derive
information on whether the two share an interest. The malicious
client can build statistics on topics that other clients are
interested in and how many topics are being sent to a particular
client.
[0010] Currently deployed publish-subscribe methods and systems
target a very limited set of security or privacy requirements (if
at all). For example, centralized architectures generally employ a
server that is trusted and that further protects against outsiders
and client misbehavior through authentication and transport layer
security (e.g., SSL/TLS. See Tim Dierks, Eric Rescorla, "The
Transport Layer Security (TLS) Protocol Version 1.2," Internet
Engineering Task Force, Request for Comments 5246, August 2008).
Similarly, distributed implementations commonly operate in the
"fortress model" in which participants are trusted and outsiders
are not trusted (See Yair Amir, Cristina Nita-Rotaru, Jonathan
Stanton, Gene Tsudik, "Secure Spread: An Integrated Architecture
for Secure Group Communication," IEEE Transactions on Dependable
and Secure Computing (TDSC), 2(3): 248-261, (2005)).
[0011] The work of Castro and Liskov (See Miguel Castro and Barbara
Liskov, "Practical Byzantine Fault Tolerance and Proactive
Recovery," ACM Trans, Comput. Syst., 20(4): 398-461 (2002)) even as
extended to achieve perform well when under attack as described in
Yair Amir, Brian Coan, Jonathan Kirsch, John Lane, "Byzantine
Replication Under Attack," In Proc. of the 38th IEEE International
Conference on Dependable Systems and Networks (DSN08), 2008:
197-206 and in Allen Clement, Edmund Wong, Lorenzo Alvisi, Mike
Dahlin, Mirco Marchetti, "Making Byzantine Fault Tolerant Systems
Tolerate Byzantine Faults," In Proc. of the 6th USENIX Symposium on
Networked Systems Design and Implementation, 2009: 153-168, provide
functionality in the presence of compromised components, but do not
attempt to provide client privacy. A well-studied area in
cryptography research, known as Secure Multi-Party Computation (or
Secure Function Evaluation (see Andrew Chi-Chih Yao, "Theory and
Applications of Trapdoor Functions (Extended Abstract)," In Proc.
of IEEE FOCS 1982: 80-91 and Oded Goldreich, Silvio Micali, Avi
Wigderson, "How to Play any Mental Game or A Completeness Theorem
for Protocols with Honest Majority," In Proc. of ACM STOC 1987:
218-229) address the general problem of two or more parties, each
with its own input, jointly and privately computing a function over
the inputs. This general approach provides more capability than is
needed to implement private publish-subscribe, and is thus too
expensive. Basic and well-studied problems in cryptography
research, addressing secure computation of specific functions,
include Private Information Retrieval (where a client is interested
in obtaining one out of a server's many strings without revealing
which one) (see Benny Chor, Eyal Kushilevitz, Oded Goldreich, Madhu
Sudan, "Private Information Retrieval," In J. ACM 45(6): 965-981
(1998) and Eyal Kushilevitz, Rafail Ostrovsky, "Replication is NOT
Needed: SINGLE Database, Computationally-Private Information
Retrieval," In Proc. of IEEE FOCS 1997: 364-373), Oblivious
Transfer (here, the server transfers the client's desired string
without knowing which one or revealing all other ones (see Michael
O. Rabin, "How to Exchange Secrets with Oblivious Transfer,"
Technical Report TR-81, Aiken Computation Lab, Harvard University,
1981), Private Set Intersection (see, e.g., Michael J. Freedman,
Kobbi Nissim, Benny Pinkas, "Efficient Private Matching and Set
Intersection," In Proc. of EUROCRYPT 2004: 1-19 (in this method,
two parties hold a set of values and at the end of the protocol one
of them can compute the intersection of the two sets), and
Conditional Oblivious Transfer in Giovanni Di Crescenzo, Rafail
Ostrovsky, Sivaramakrishnan Rajagopalan, "Conditional Oblivious
Transfer and Timed-Release Encryption," In Proc. of EUROCRYPT 1999:
74-89 (a variant of oblivious transfer such that a message is sent
from a sender to a receiver if and only if a predicate over the two
parties' inputs is true, and the sender does not know the predicate
value (hereinafter "COT").
[0012] Other security and cryptography research has directly
considered the problem of designing secure and/or private
publish-subscribe protocols. This research has fallen short as
having either a different participant model (i.e., which typically
considers publishers as active participants or entirely distributed
models with no servers or third parties), having a different set of
capabilities and functionalities (i.e., which typically ignores
protocol dynamics such as subscription updates or only target
sophisticated filtering rules for content publication), or having a
different set of security and/or privacy requirements (i.e., which
often requires privacy against intermediate routing nodes or
privacy only against the server, or which targets more demanding
requirements which ultimately result in non-efficient
protocols).
[0013] The work described in Costin Raiciu, David S. Rosenblum,
"Enabling Confidentiality in Content-Based Publish/Subscribe
Infrastructures," In Proc. of SecureComm 2006: 1-11 (based on ideas
on searchable encryption from Dawn Song, David Wagner, and Adrian
Perrig, "Practical Techniques for Searches on Encrypted Data," In
Proc. of the IEEE Symposium on Security and Privacy, 2000),
provides a very efficient publish-subscribe protocol in a
restricted participant model (a 1-server, 1-client model), but
which only supports privacy against a server and not against
clients and does not support subscription updates by clients and
related privacy requirements.
[0014] Further, there are circumstances in which both the clients
and the server may be malicious (e.g., they may arbitrarily deviate
from their protocol) and colluding (i.e., some clients can collude
among themselves, or with the server) in their attempt to violate
privacy requirements.
[0015] Accordingly, what would be desirable, but has not yet been
provided, is a method and system for providing security and privacy
guarantees in a publish-subscribe protocol in the presence of
malicious and colluding servers and clients.
SUMMARY OF THE INVENTION
[0016] The above-described problems are addressed and a technical
solution is achieved in the art by providing a method for providing
security and privacy guarantees in a publish-subscribe protocol in
the presence of malicious and colluding participants. In an
embodiment, a server transmits to a client a public key. The server
receives from the client a pseudonym of an interest based on a
division malleable commitment method applied to the public key,
wherein the pseudonym of the interest functions as a commitment of
the client. The server encrypts an item with a padded key and
encrypting the padded key. The server transmits to the client the
encrypted item and a pseudonym of a topic associated with the item
based on a modification of the commitment by the server using a
hybrid conditional-oblivious transfer protocol. When the interest
of the client equals the topic associated with the item, the client
retrieves a correct padded key to decrypt the encrypted data item;
otherwise the client retrieves a random key that is unable to
decrypt the encrypted data item.
[0017] In an embodiment, the received pseudonym of an interest
based on the division malleable commitment method may be an
El-Gamal encryption of the interest. The interest pseudonym may be
employed by the server to encrypt, during the publish phase a
padded key based on a hybrid conditional oblivious transfer
sub-protocol. A predicate of the sub-protocol may be further based
on an equality predicate. In an embodiment, the sub-protocol may be
varied such that the client publishes the interest pseudonym as a
public key that is accessible by the server. This implies that the
sub-protocol may be a distributed protocol with n participants,
where n is at least two, and wherein the server and the client are
two of the at least two participants. In an embodiment, after the n
participants publish respective interest pseudonyms, a participant
that is currently a client may become a publisher.
[0018] In an embodiment, the server may receive from the client an
add interest or delete interest label. In an embodiment, the server
may receive an item with associated topics.
[0019] In an embodiment, the server may encrypt an item with a
padded key and encrypting the padded key. In an embodiment, the
server may encrypt the item with the padded key and encrypts the
padded key with the stored symmetric key. The server may transmit
to the client the item encrypted with the padded key and the padded
key encrypted with the stored symmetric key.
[0020] In an embodiment, the server may obtain a stored symmetric
key. The server receiving a public key, receiving a pseudonym of an
interest, encrypting an item, and transmitting the encrypted item
may be performed for each of a plurality of clients when the serve
is in a push mode and for a requesting client when the client is in
a pull mode.
[0021] In an embodiment, the modification of the commitment by the
server may be considered a commitment of the server to the interest
divided by the topic. The server transmitting the pseudonym of the
topic associated with the item based on a modification of the
commitment may comprise transmitting a value based on a
modification of the public key and a modification of the commitment
of the server to the interest divided by the topic.
BRIEF DESCRIPTION OF THE DRAWINGS
[0022] The present invention may be more readily understood from
the detailed description of an exemplary embodiment presented below
considered in conjunction with the attached drawings and in which
like reference numerals refer to similar elements and in which:
[0023] FIG. 1 is a block diagram of a system in which embodiments
of the present disclosure may operate;
[0024] FIG. 2 is a block diagram of a software architecture in
which embodiments of the present disclosure may operate;
[0025] FIG. 3 is a message sequence diagram illustrating messages
exchanged between a client and a server for implementing one
embodiment of a publish-subscribe protocol with privacy;
[0026] FIG. 4 is a process flow diagram illustrating of one
embodiment of a method for providing privacy in a publish-subscribe
protocol from the point of view of the server;
[0027] FIG. 5 is a process flow diagram illustrating of one
embodiment of a method for providing privacy in a publish-subscribe
protocol from the point of view of a client; and
[0028] FIG. 6 illustrates a diagrammatic representation of a
machine in the example form of a computer system within which a set
of instructions, for causing the machine to perform any one or more
of the methodologies discussed herein, may be executed.
[0029] It is to be understood that the attached drawings are for
purposes of illustrating the concepts of the invention and may not
be to scale.
DETAILED DESCRIPTION OF THE INVENTION
[0030] The present invention relates to a method and system for
providing security and privacy guarantees in a publish-subscribe
protocol in the presence malicious and colluding servers and
clients.
[0031] In the following description, numerous details are set
forth. It will be apparent, however, to one skilled in the art,
that the present invention may be practiced without these specific
details. In some instances, well-known structures and devices are
shown in block diagram form, rather than in detail, in order to
avoid obscuring the present invention.
[0032] FIG. 1 is a block diagram of a system 100 in which
embodiments of the present disclosure may operate. The system 100
realizes a publish-subscribe protocol with privacy based on the
following basic definitions about data, participants, and
communication capabilities between the participants. As used
herein, items are digital documents in any format to be published.
A dictionary is a collection of all topics that each item may or
may not relate to, and is known to all participants (e.g., all
128-character strings). Interests are elements from the dictionary
associated with a client. Topics are elements from the dictionary
associated with an item to be published.
[0033] Returning to FIG. 1, the system 100 includes a server 102
configured to process submitted items (and associated topics) and
interests of one or more clients 104a-104n to realize the
publish-subscribe functionality. In an embodiment, the server 102
functions as a publisher. The one or more clients 104a-104n are
configured to submit and update subscriptions based on their
interests and configured to receive items that match their current
interests. In an embodiment, the clients 104a-104n function as
subscribers. The server 102 and the clients 104a-104n may be
interconnected by a network 106 (e.g., the Internet). In one
example, the network 106 may be assumed to encounter no packet loss
or temporarily disconnected participants 102, 104a-104n.
[0034] In one embodiment, the system 100 is configured to implement
a publish-subscribe protocol by employing phases of operation
comprising setup, subscription, publication, and optionally, item
deletion. During the setup phase, the server 102 and the clients
104a-104n may exchange messages to initialize their data structures
and/or cryptographic keys. During the subscription phase, the
clients 104a-104n may update (add/delete) their interests with the
server 102. During the publication phase, after receiving a new
item (e.g., a data item) and associated topics, the server 102 may
distribute the item to the clients 104a-104n based on the topics of
the item and the interests of the clients 104a-104n. Publication
protocols may follow at least one of two modes: push mode and/or
pull mode. In push mode, after an item is submitted, the item is
processed by the server 102 and transmitted to one or more of the
clients 104a-104n. In pull mode, at any given time, a client (e.g.,
104a) may query the server 102 for any (not previously retrieved)
item whose topics match the interests of the client (e.g., 104a).
In the item delete phase, the server 102 may delete items (e.g.,
for storage efficiency purposes).
[0035] A person skilled in the art would appreciate that the (data)
item input to the server 102 may originate from any number and
types of sources. For example, the (data) item may originate from
the publisher/server 102. In another example, the publisher may
receive the next data item from any other party that asks the
publisher to publish a data item. In another example, the publisher
may receive the next (data) item from an independent information
source.
[0036] FIG. 2 is a block diagram of a software architecture 200 in
which embodiments of the present disclosure may operate. Referring
now to FIGS. 1 and 2, each of the server 102 and the clients
104a-104n is configured to implement corresponding processing logic
202, 204, each of which implements corresponding encryption logic
206, 208 for implementing a "hybrid encryption" method described
hereinbelow.
[0037] To avoid malicious and colluding behavior on the part of the
server 102 and the clients 104a-104n, no secret key is shared among
the clients 104a-104n; otherwise, collusion between clients
104a-104n and the server 102 may reveal the secret key to the
server 102, thus rendering the key no longer secret. In an
embodiment, asymmetric cryptographic primitives may be employed. To
minimize potential degradation in efficiency relative employing
symmetric keys, in an embodiment, the asymmetric cryptographic
primitives may be employed using a "hybrid encryption" method (see
e.g., Yvo Desmedt, Rosario Gennaro, Kaoru Kurosawa, Victor Shoup,
"A New and Improved Paradigm for Hybrid Encryption Secure Against
Chosen-Ciphertext Attack," J. Cryptology 23(2): 91-120 (2010)),
where an asymmetric encryption method may be employed only once per
communication session to establish a key for a symmetric encryption
scheme used thereafter.
[0038] Specifically, a "hybrid conditional oblivious transfer"
protocol may be employed where the predicate condition of COT is
equality between a pseudonym of a topic of an item and a pseudonym
of an interest of a client interest, and where the first of such
transfers for a pair (i.e., item topic, client interest) is
performed using asymmetric primitives and all subsequent transfers
for the same pair re-use the symmetric key established during the
first transfer, using memoization. In one embodiment, a hybrid COT
may be employed for the matching predicate by running in parallel a
hybrid COT for the equality predicate for each pair (item topic,
client interest). In one embodiment, the hybrid COT for the
equality predicate may employ (1) for a symmetric encryption
protocol portion, the COT employed in co-pending, commonly-owned,
U.S. patent application Ser. No. ______, entitled,
"PRIVACY-PRESERVING PUBLISH-SUBSCRIBE PROTOCOL IN A CLOUD-ASSISTED
BROADCAST MODEL", Attorney Docket No. 26534.11, and (2) for an
asymmetric encryption protocol portion, a division-malleable
commitment scheme employing, for example, El-Gamal encryption as
described in Taher ElGamal, "A Public-Key Cryptosystem and a
Signature Scheme Based on Discrete Logarithms, "IEEE Transactions
on Information Theory 31(4): 469-472, 1985 (hereinafter "El-Gamal")
and an optimized variant of an oblivious transfer protocol as
described in Moni Naor, Benny Pinkas, "Efficient Oblivious Transfer
Protocols," In SODA 2001: 448-457 (hereinafter "Naor").
[0039] FIG. 3 is a message sequence diagram 300 illustrating
messages exchanged between a client (e.g., 104a) and the server 102
for implementing one embodiment of a publish-subscribe protocol
with privacy. For simplicity, one interest and one topic are
assumed. Since privacy against malicious clients is desired,
communication between all participants is secured using methods for
encryption, authentication and time-stamping that achieve the
needed security properties without incurring the full cost of
SSL/TLS (Secure Sockets Layer/Transport Layer Security).
[0040] During a setup phase 302, in one embodiment, the client
(e.g., 104a) may obtain from the server 102 a public key needed for
a computation of a division-malleable commitment method (e.g.,
El-Gamal). This key is the same for all clients 104a-104n and is
computed as a triple (p, q, g), where p, q are primes such that
p=2q+1 and g is a generator of the subgroup Z.sub.p of order q. The
client (e.g., 104a) only accepts this key if it verifies that p, q
are primes such that p=2q+1 and g is a generator of the subgroup of
Z.sub.p of order q. The
[0041] During a subscription phase 304, for a client (e.g., 104a)
to add an interest to a current subscription, the client 104a
obtains a pseudonym, ip, for an interest x to be added by computing
an integer h=g.sub.w mod p and an El-Gamal encryption (u,
v)=(g.sub.r mod p, h.sub.r x mod p), for random r, p in Z.sub.q.
The client (e.g., 104a) transmits the interest pseudonym triple
ip=(h, u, v) to the server 102. This can be viewed as a
division-malleable commitment, in that by dividing the third value,
h.sub.r x mod p, by some integer y in Z.sub.p, one obtains a
commitment to x/y mod p. This triple is may be transmitted by the
client (e.g., 104a) to the server 102 with an "add" label. When
this protocol is employed to delete an interest to the current
subscription, the client (e.g., 104a) retrieves from its storage
the previously used triple and transmits the triple to the server
102 with a "delete" label. The server 102 adds/deletes the interest
to/from the current subscription of the client (e.g., 104a).
[0042] During a publish phase 306, in an embodiment, the server 102
may run an equality-based-COT protocol with a client (e.g., 104a)
requesting a pull or for each of the clients 104a-104n in push
mode. For each topic pseudonym tp and each interest pseudonym ip,
the server 102 and the client (e.g., 104a) may run a hybrid COT
sub-protocol to transmit an encrypted item's decryption key based
on the equality predicate "tp=ip".
[0043] In an embodiment, the sub-protocol may be implemented as
follows:
[0044] (a) If the sub-protocol was previously executed, then the
server 102 obtains an associated stored symmetric key skey and
transmits to the client c and z such that c=E.sub.skey(k|pad) and
z=E.sub.k (item).
[0045] (b) Otherwise, the server 102 transmits a single message to
the client (e.g., 104a), computed as follows: for each item's topic
y, the server 102 modifies a commitment (h, u, v) of the client
(e.g., 104a) to interest x so that it becomes a commitment (h, u,
v/y) to x/y; then, the server 102 computes two values (d,
e)=(g.sub.a u.sub.b mod p, h.sub.a (v/y).sub.b k mod p) where k is
the (padded) key used to encrypt the item and a, b are randomly
chosen from Z.sub.q, and transmits the two values (d, e) to the
client (e.g., 104a).
[0046] (c) The client checks if e/d.sub.w mod p is a padded key k;
if so, it uses k to decrypt the encrypted item z. Padding may be
added to messages from the server 102 to all of the clients
104a-104n to avoid traffic analysis that may reveal the number of a
client's interests to other malicious clients.
[0047] More particularly, when (1) a client's interest x is=data
item's topic y, the client (e.g., 104a) retrieves the correct key k
to decrypt the encrypted data item. When (2) the client's interest
x is different from data item's topic y, the client (e.g., 104b)
retrieves some key k', but this key is random and thus very
different from the key k that may be employed to decrypt the
encrypted data item.
[0048] To observer that both properties are true, observe that the
client's computation e/d w mod p above for Publish, step (c), may
be written as (ignoring mod p for simplicity):
e / d ^ w = e * d ^ { - w } = ( h ^ a * ( v / y ) ^ b * k ) * ( g ^
a * u ^ b ) ^ { - w } = ( h ^ a * ( h ^ r * ( x / y ) ) ^ b * k ) *
( g ^ a * g ^ { rb } ) ^ { - w } = g ^ { aw } * ( ( g ^ { rw } * (
x / y ) ) ^ b * k * g ^ { - aw } * g ^ { - wrb } = ( x / y ) ^ b *
k ##EQU00001##
where the first and last equality follow from algebraic
simplifications, the second equality follows from the expression of
e and d (as in step (b)), the third equality follows from the
expression of u and v (as in Subscribe), and the fourth equality
follows from the expression of h (as in Subscribe).
[0049] Now, to see that property (1) is true, when x=y, e/d w=1
b*k=k (i.e., the key k that encrypts the data item). Finally, to
see that property (2) is true, when x is different from y, then e/d
w=k', for some random k' (since b is random).
[0050] In an embodiment, the subscribe sub-protocol may be varied
such that a client (e.g., 104a) may publish an interest pseudonym
as a public key that is accessible by the server 102. This implies
that in a distributed protocol with n participants, after the n
participants publish their interest pseudonyms, any party can later
act as a publisher.
[0051] FIG. 4 is a process flow diagram illustrating of one
embodiment of a method 400 for providing privacy in a
publish-subscribe protocol from the point of view of the server
102. Method 400 may be performed by the processing logic 202 of the
server 102 (e.g., in computer system 600 of FIG. 6) that may
comprise hardware (e.g., circuitry, dedicated logic, programmable
logic, microcode, etc.), software (such as instructions run on a
processing device), firmware, or a combination thereof. In one
embodiment, method 400 is performed by the encryption logic 206 of
the processing logic 202 of the server 102 of FIG. 2.
[0052] In one embodiment, method 400 begins when, during a setup
phase 302, at block 405, the server 102 transmits to a client (e.g.
104a) a public key. The public key may be the same key for all
clients 104a-104n.
[0053] During the subscribe phase 304, at block 410, the server 102
receives from the client (e.g., 104a) a pseudonym of an interest
based on a division malleable commitment method applied to the
public key, wherein the interest pseudonym functions as a
commitment of the client. The received pseudonym of an interest
based on the division malleable commitment method may be an
El-Gamal encryption of the interest. The public key may be computed
by the server 102 as a triple (p, q, g), where p, q are primes such
that p=2q+1 and g is a generator of a subgroup Z.sub.p of order q.
The client (e.g., 104a) may be configured to accept the public key
when the client verifies that p, q are primes such that p=2q+1 and
g is a generator of the subgroup of Z.sub.p of order q. The
pseudonym of the interest may be an interest pseudonym triple
ip=(h, u, v) created by the client by computing an integer
h=g.sub.w mod p and the El-Gamal encryption (u, v)=(g.sub.r mod p,
h.sub.r x mod p), for random r, p in a subgroup Z.sub.q. The
interest pseudonym may be employed by the server 102 to encrypt,
during the publish phase a padded key based on a hybrid conditional
oblivious transfer sub-protocol. A predicate of the sub-protocol
may be further based on an equality predicate. In an embodiment,
the sub-protocol may be varied such that the client (e.g., 104a)
publishes the interest pseudonym as a public key that is accessible
by the server 102. This implies that the sub-protocol may be a
distributed protocol with n participants, where n is at least two,
and wherein the server 102 and the client (e.g., 104a) are two of
the at least two participants. In an embodiment, after the n
participants publish respective interest pseudonyms, a participant
that is currently a client may become a publisher.
[0054] In an embodiment, the server 102 may receive from the client
(e.g., 104a) an add interest or delete interest label.
[0055] During the publish phase 306, the server 102 receives an
item with associated topics. At block 415, the server 102 encrypts
an item with a padded key and encrypting the padded key. More
particularly, the server 102 encrypts the item with the padded key
and encrypts the padded key with the stored symmetric key. The
server 102 transmits to the client (e.g., 104a) the item encrypted
with the padded key and the padded key encrypted with the stored
symmetric key.
[0056] At block 420, the server 102 transmits to the client (e.g.,
104a) the encrypted item and a pseudonym of a topic associated with
the item based on a modification of the commitment by the server
102 using a hybrid conditional-oblivious transfer protocol. In an
embodiment, the server 102 obtains a stored symmetric key. The
server 102 receiving a public key, receiving a pseudonym of an
interest, encrypting an item, and transmitting the encrypted item
are performed for each of a plurality of clients 104a-104n when the
server 102 is in a push mode and for a requesting client (e.g.,
104a) when the client (e.g., 104a) is in a pull mode.
[0057] In an embodiment, the modification of the commitment by the
server 102 may be considered a commitment of the server 102 to the
interest divided by the topic. The server 102 transmitting the
pseudonym of the topic associated with the item based on a
modification of the commitment may comprise transmitting a value
based on a modification of the public key and a modification of the
commitment of the server 102 to the interest divided by the topic.
More particularly, the value based on a modification of the public
key and the modification of the commitment of the server 102 to the
interest divided by the topic may be based on computing two values
(d, e)=(g.sub.a u.sub.b mod p, h.sub.a (v/y).sub.b k mod p) where k
is the padded key used to encrypt the item and a, b are randomly
chosen from a subgroup Z.sub.q.
[0058] In an embodiment, when the interest of the client (e.g.,
104a) equals the topic associated with the item, then the client
(e.g., 104a) is configured to retrieve a correct padded key to
decrypt the encrypted item. When the interest of the client (e.g.,
104a) does not equal the topic associated with the item, the client
(e.g., 104a) is configured to retrieve a random key that is unable
to decrypt the encrypted item. More particularly, the client (e.g.,
104a) is configured to determine if e/d.sub.w mod p is a padded key
k and, if so, employs k to decrypt the encrypted item z.
[0059] FIG. 5 is a process flow diagram illustrating of one
embodiment of a method 500 for providing privacy in a
publish-subscribe protocol from the point of view of a client (e.g.
104a). Method 500 may be performed by the processing logic 204 of
the client 104a (e.g., in computer system 600 of FIG. 6) that may
comprise hardware (e.g., circuitry, dedicated logic, programmable
logic, microcode, etc.), software (such as instructions run on a
processing device), firmware, or a combination thereof. In one
embodiment, method 500 is performed by the encryption logic 208 of
the processing logic 204 of the client 104a of FIG. 2.
[0060] In one embodiment, method 500 begins when, during a setup
phase 302, at block 505, the client (e.g., 104a) receives from the
server 102 a public key. The client (e.g., 104a) may accept the
public key when the client (e.g., 104a) verifies that p, q are
primes such that p=2q+1 and g is a generator of the subgroup of
Z.sub.p of order q.
[0061] At block 510, the client (e.g., 104a) transmits a pseudonym
of an interest based on the division malleable commitment method
applied to the public key. The pseudonym of the interest may be
based on the division malleable commitment method comprises
transmitting to the server 102 an El-Gamal encryption of the
interest. More particularly, the pseudonym of the interest may be
an interest pseudonym triple ip=(h, u, v) created by the client by
computing an integer h=g.sub.w mod p and the El-Gamal encryption
(u, v)=(g.sub.r mod p, h.sub.r x mod p), for random r, p in a
subgroup Z.sub.q. The public key may be computed as a triple (p, q,
g), where p, q are primes such that p=2q+1 and g is a generator of
a subgroup Z.sub.p of order q.
[0062] At block 515, the client (e.g., 104a) receives from the
server 102 an encrypted item and a pseudonym of a topic associated
with the item based on a hybrid conditional-oblivious transfer
protocol. More particularly, the pseudonym of a topic may be based
on two values (d, e)=(g.sub.a u.sub.b mod p, h.sub.a (v/y).sub.b k
mod p) where k is the padded key used to encrypt the item and a, b
are randomly chosen from a subgroup Z.sub.q. At block 520, the
client (e.g., 104a) determines whether the interest of the client
(e.g., 104a) equals the topic associated with the item. When the
interest of the client (e.g., 104a) equals the topic associated
with the item, at block 525, the client (e.g., 104a) retrieves a
correct padded key to decrypt the encrypted data item. When the
interest of the client (e.g., 104a) does not equal the topic
associated with the item, at block 530, the client (e.g., 104a)
retrieve a random key that is unable to decrypt the encrypted data
item. More particularly, the client (e.g., 104a) is configured to
determine if e/d.sub.w mod p is a padded key k and, if so, employs
k to decrypt the encrypted item z.
[0063] Embodiments of the present disclosure have many advantages
over prior art publish-subscribe privacy protection methods. The
server 102 can store interests (subscriptions) of many clients
104a-104n, add and delete subscriptions dynamically with no need to
reprocess all items, and periodically delete items to reclaim space
without any participant learning the identity or content of deleted
items after they have been deleted. When the server 102 processes
an item with a topic that the subscriber had subscribed to, in each
COT for the equality predicate, it holds that x=y. Then, by the
properties of COT, the client (e.g., 104a) recovers a padded key k
to decrypt the encrypted item.
[0064] Even a malicious server colluding with some clients learns
no information about interests of any other client, since the
interests are transmitted in committed form by the client (e.g.,
104a), where the commitment is based on a public key (p, q, g)
transmitted by the server 102 and verified to be correct by the
client (e.g., 104a). Malicious and colluding clients, even if
colluding with a server, do not learn any information about other
clients' subscriptions, since the distribution of the communication
exchanged between the clients 104a-104n and the server 102 reveals
no information to the clients 104a-104n. This is the case even when
performing eavesdropping (since communication is secured using
SSL/TLS or similar methods), or traffic analysis (message length is
the same regardless of the client subscription, assuming padding
techniques are employed to mask the number of client
interests).
[0065] As a consequence of the properties of COT (specifically,
that when predicate is false, the message transferred through the
COT will not be successfully decrypted by a client (e.g., 104a)),
no information about the key k encrypting an unpublished item is
revealed to any participants having no interest in this item during
the publication protocol. This follows from the analogue oblivious
transfer property of the used scheme from Naor. As a further
consequence of the properties of COT (specifically, the server 102
does not realize whether the message transferred through the COT is
successfully decrypted by a client (e.g., 104a)), the server 102
does not learn whether any individual item was published or not.
Again, this follows from the analogue oblivious transfer property
of the used scheme from Naor.
[0066] Publishing each item in the pull mode requires, for the
asymmetric cryptography portion, 4 modular exponentiations per
(topic, interest) pair, of which 3 can be performed off-line and 1
has to be performed on-line; and for the symmetric cryptography
portion, 4 block cipher applications per pair (item topic, client
interest). In the push mode, these numbers are multiplied by the
number of clients 104a-104n. Publication also requires 1 item
encryption by the server 102, and 1 item decryption by each
interested client 104a-104n.
[0067] FIG. 6 illustrates a diagrammatic representation of a
machine in the exemplary form of a computer system 600 within which
a set of instructions, for causing the machine to perform any one
or more of the methodologies discussed herein, may be executed. In
alternative embodiments, the machine may be connected (e.g.,
networked) to other machines in a local area network (LAN), an
intranet, an extranet, or the Internet. The machine may operate in
the capacity of a server or a client machine in a client-server
network environment, or as a peer machine in a peer-to-peer (or
distributed) network environment. The machine may be a personal
computer (PC), a tablet PC, a set-top box (STB), a personal digital
assistant (PDA), a cellular telephone, a web appliance, a server, a
network router, switch or bridge, or any machine capable of
executing a set of instructions (sequential or otherwise) that
specify actions to be taken by that machine. Further, while only a
single machine is illustrated, the term "machine" shall also be
taken to include any collection of machines that individually or
jointly execute a set (or multiple sets) of instructions to perform
any one or more of the methodologies discussed herein.
[0068] The exemplary computer system 600 includes a processing
device 602, a main memory 604 (e.g., read-only memory (ROM), flash
memory, dynamic random access memory (DRAM) (such as synchronous
DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 606
(e.g., flash memory, static random access memory (SRAM), etc.), and
a data storage device 618, which communicate with each other via a
bus 630.
[0069] Processing device 602 represents one or more general-purpose
processing devices such as a microprocessor, central processing
unit, or the like. More particularly, the processing device may be
complex instruction set computing (CISC) microprocessor, reduced
instruction set computer (RISC) microprocessor, very long
instruction word (VLIW) microprocessor, or processor implementing
other instruction sets, or processors implementing a combination of
instruction sets. Processing device 602 may also be one or more
special-purpose processing devices such as an application specific
integrated circuit (ASIC), a field programmable gate array (FPGA),
a digital signal processor (DSP), network processor, or the like.
Processing device 602 is configured to execute processing logic
202, 204 for performing the operations and steps discussed
herein.
[0070] Computer system 600 may further include a network interface
device 608. Computer system 600 also may include a video display
unit 610 (e.g., a liquid crystal display (LCD) or a cathode ray
tube (CRT)), an alphanumeric input device 612 (e.g., a keyboard), a
cursor control device 614 (e.g., a mouse), and a signal generation
device 616 (e.g., a speaker).
[0071] Data storage device 618 may include a machine-readable
storage medium (or more specifically a computer-readable storage
medium) 620 having one or more sets of instructions (i.e., the
processing logic 202, 204) embodying any one or more of the
methodologies of functions described herein. The processing logic
202, 204 may also reside, completely or at least partially, within
main memory 604 and/or within processing device 602 during
execution thereof by computer system 600; main memory 604 and
processing device 602 also constituting machine-readable storage
media. The processing logic 202, 204 may further be transmitted or
received over a network 626 via network interface device 608.
[0072] Machine-readable storage medium 620 may also be used to
store processing logic 202, 204 persistently. While
machine-readable storage medium 620 is shown in an exemplary
embodiment to be a single medium, the term "machine-readable
storage medium" should be taken to include a single medium or
multiple media (e.g., a centralized or distributed database, and/or
associated caches and servers) that store the one or more sets of
instructions. The term "machine-readable storage medium" shall also
be taken to include any medium that is capable of storing or
encoding a set of instruction for execution by the machine and that
causes the machine to perform any one or more of the methodologies
of the present invention. The term "machine-readable storage
medium" shall accordingly be taken to include, but not be limited
to, solid-state memories, and optical and magnetic media.
[0073] The components and other features described herein can be
implemented as discrete hardware components or integrated in the
functionality of hardware components such as ASICs, FPGAs, DSPs or
similar devices. In addition, these components can be implemented
as firmware or functional circuitry within hardware devices.
Further, these components can be implemented in any combination of
hardware devices and software components.
[0074] Some portions of the detailed descriptions are presented in
terms of algorithms and symbolic representations of operations on
data bits within a computer memory. These algorithmic descriptions
and representations are the means used by those skilled in the data
processing arts to most effectively convey the substance of their
work to others skilled in the art. An algorithm is here, and
generally, conceived to be a self-consistent sequence of steps
leading to a desired result. The steps are those requiring physical
manipulations of physical quantities. Usually, though not
necessarily, these quantities take the form of electrical or
magnetic signals capable of being stored, transferred, combined,
compared, and otherwise manipulated. It has proven convenient at
times, principally for reasons of common usage, to refer to these
signals as bits, values, elements, symbols, characters, terms,
numbers, or the like.
[0075] It should be borne in mind, however, that all of these and
similar terms are to be associated with the appropriate physical
quantities and are merely convenient labels applied to these
quantities. Unless specifically stated otherwise, as apparent from
the above discussion, it is appreciated that throughout the
description, discussions utilizing terms such as "enabling",
"transmitting", "requesting", "identifying", "querying",
"retrieving", "forwarding", "determining", "passing", "processing",
"disabling", or the like, refer to the action and processes of a
computer system, or similar electronic computing device, that
manipulates and transforms data represented as physical
(electronic) quantities within the computer system's registers and
memories into other data similarly represented as physical
quantities within the computer system memories or registers or
other such information storage, transmission or display
devices.
[0076] Embodiments of the present invention also relate to an
apparatus for performing the operations herein. This apparatus may
be specially constructed for the required purposes or it may
comprise a general purpose computer selectively activated or
reconfigured by a computer program stored in the computer. Such a
computer program may be stored in a computer readable storage
medium, such as, but not limited to, any type of disk including
floppy disks, optical disks, CD-ROMs and magnetic-optical disks,
read-only memories (ROMs), random access memories (RAMs), EPROMs,
EEPROMs, magnetic or optical cards, flash memory devices including
universal serial bus (USB) storage devices (e.g., USB key devices)
or any type of media suitable for storing electronic instructions,
each of which may be coupled to a computer system bus.
[0077] The algorithms and displays presented herein are not
inherently related to any particular computer or other apparatus.
Various general purpose systems may be used with programs in
accordance with the teachings herein or it may prove convenient to
construct more specialized apparatus to perform the required method
steps. The required structure for a variety of these systems will
be apparent from the description above. In addition, the present
invention is not described with reference to any particular
programming language. It will be appreciated that a variety of
programming languages may be used to implement the teachings of the
invention as described herein.
[0078] It is to be understood that the above description is
intended to be illustrative, and not restrictive. Many other
embodiments will be apparent to those of skill in the art upon
reading and understanding the above description. Although the
present invention has been described with reference to specific
exemplary embodiments, it will be recognized that the invention is
not limited to the embodiments described, but can be practiced with
modification and alteration within the spirit and scope of the
appended claims. Accordingly, the specification and drawings are to
be regarded in an illustrative sense rather than a restrictive
sense. The scope of the invention should, therefore, be determined
with reference to the appended claims, along with the full scope of
equivalents to which such claims are entitled.
* * * * *