procedure, in which customers fill out a form with their personal informa-tion and are granted a loyalty card, be it a physical card (magnetic stripe or smartcard) or a smartphone application. Although loyalty programs have become widespread, they are experiencing a loss of active participants and they have been criticized by business experts and consumer associations.
Criticism is mainly due to privacy issues, because it is not always clear whether the benefits offered by vendors in their loyalty programs are worth the loss of consumer privacy caused by profiling [78, 91, 1, 45].
Implicit authentication. Implicit authentication refers to a software system authenticating individuals based on the way they interact with their vice, i.e. their behavior. In this context, the user’s behavior can be de-termined by collecting a variety of features, such as keystroke patterns, browser history and configuration, IP addresses, location, visible anten-nas, etc. Implicit authentication can be viewed as a complement of the usual explicit authentication based on identifiers and credentials.
Note that a common trait in these three application cases is that users need to prove something about themselves or their context without revealing more than what is strictly necessary. We believe these cases can be used as an example for other applications in which the goal is similar.
1.2 Contributions
Our contributions are protocols to solve the privacy, security and functionality conflict in the above three applications. Specifically:
1. In the group size accreditation case (motivated by applications involving group discounts), we contribute a mechanism, based on an identity-based dynamic-threshold (IBDT) signature scheme and a novel key manage-ment scheme, that allows participants to prove the number of members in a group without revealing the identities of group members. The IBDT signature scheme is a novel advanced signature scheme that combines the properties of identity-based signatures and threshold signatures. In identity-based signatures, the public keys are arbitrary strings; we leverage this property to introduce a novel parameterized key management scheme, in which the functionality of the scheme (the size of the groups that can be certified) and the level of anonymity are defined by two configurable parameters. In threshold signature schemes, a key dealer distributes key
shares that, when combined in a specific way and in a specific quantity, produce signing keys that are valid for the system. The system is evalu-ated analytically and experimentally, namely in a high-occupancy vehicle application.
2. In the loyalty programs case, we contribute a mechanism, based on par-tially blind signatures and zero-knowledge proofs, that allows implement-ing loyalty programs, includimplement-ing loyalty points and customer profilimplement-ing, and also allows customers to control the amount of sensitive information (from their purchase histories) they reveal. To that end, we entrust the manage-ment of loyalty points and purchase receipts to the customers themselves, who can generalize the purchase receipts before returning them to the ven-dor for more loyalty points (or not return them, at the cost of receiving less loyalty points). To ensure that loyalty points and purchase receipts are not altered by malicious participants, these are treated as electronic cash, but without a centralized authority. To prevent the vendors from linking loyalty points and purchase histories to specific customers, we in-troduce (untransferable) anonymous tokens with controlled linkability (by leveraging partially blind signatures and zero-knowledge proofs) and a generalization scheme for purchase receipts. The security of the scheme is formally evaluated and experimental results are provided. We finish this contribution by providing a feasibility study in physical stores.
3. In the implicit authentication case, we propose two schemes following the same principle of authenticating users based on their behavior without revealing the user profiles to the service provider. Both schemes are pred-icated on computing the distances between private feature sets. We show that these distances can be obtained from the size of the intersection of the feature sets, for sets of categorical independent values, categorical cor-related values and numerical independent values. The computation of the size of the intersection of sets is carried out using secure multiparty compu-tation (MPC) protocols. The first of our proposed implicit authentication schemes uses an MPC based on the homomorphic properties of the Pail-lier cryptosystem, and provides a robust solution for authentication. The second one is based on the intersection of Bloom filters. While the second proposal does not ensure as high a level of security as the first one (namely it does not provide semantic security), its lower computational complexity and the compact form of the protected user profiles make it suitable for everyday use (always as a second-factor authentication mechanism). We
1.2. CONTRIBUTIONS
provide formal security analyses and experimental evaluation of the two proposed implicit authentication schemes.
The first and second contributions of this thesis (privacy-preserving group size accreditation and privacy-preserving loyalty programs) received partial sup-port from a Google Faculty Award granted to Prof. Josep Domingo-Ferrer. The third contribution (privacy-preserving implicit authentication) is an offshoot of the research started in the EU FP7 project “InterTrust”.
Chapter 2
Background
In this Chapter we provide the background on cryptographic and non-cryptogra-phic technologies that will be used as building blocks for our privacy-preserving constructions. The Chapter is organized as follows. Section 2.1 provides an overview of bilinear pairings and introduces some hardness assumptions that will be used in our group accreditation and loyalty programs constructions.
Sections 2.2 and 2.3 introduce, respectively, threshold and identity-based sig-natures. These kinds of signatures are the main building blocks of our novel IBDT signature scheme (described in Chapter 3) on which our group accredi-tation protocol is based. Section 2.4 introduces the concept of partially blind signatures, a generalization of blind signatures which eliminates the need for cut-and-choose protocols and that is the main building block of our loyalty pro-grams construction (described in Chapter 4). Section 2.5 provides an overview of zero-knowledge proofs, which we explicitly use in an extension to the loyalty programs construction to provide untransferability of loyalty points and pur-chase receipts. Non-interactive zero-knowledge proofs are also part of the IBDT signature scheme. Section 2.6 recalls secure multiparty computation protocols to compute set intersections. The size of the intersection of sets is the basis of our two proposed implicit authentication schemes. Sections 2.7 and 2.8 describe the Paillier cryptosystem and Bloom filters, which we use in our implicit authen-tication schemes to instantiate two concrete multiparty computation protocols to compute the size of the intersection of sets. Finally, Sections 2.9 and 2.10 briefly describe anonymous payment mechanisms and short-range communica-tion technologies. These two are used when implementing the group accredita-tion protocol and the loyalty programs scheme in specific use cases.
2.1 Bilinear pairings
Given cyclic multiplicative groups G1, G2, GT of prime order p, with generators g1∈ G1 and g2∈ G2, a bilinear map is a function e : G1× G2→ GT with the following properties:
• Bilinearity: For all x ∈ G1, y ∈ G2, a, b ∈ Zp, e(xa, yb) = e(x, y)ab.
• Non-degeneracy: The value e(g1, g2) generates GT, that is e(g1, g2) 6= 1GT.
• Efficient computability: The function e is efficiently computable.
Bilinear pairings are classified in three general types according to [50]:
Type I: G1= G2. These pairings are typically called symmetric pairings.
Type II: G1 6= G2, and there exists an isomorphism ψ : G2 → G1 that is efficiently computable, but ψ−1 is not.
Type III: G16= G2, and there is no efficiently computable ψ.
Types II and III are called asymmetric pairings. We will use Type III pair-ings throughout this work, as they have been found to be the most efficient pairings at equivalent security levels. We use multiplicative notation for all groups Zp, G1, G2, and GT.
2.1.1 Hardness assumptions
Definition 1. Given a cyclic group G of order p and a generator g of G, the Computational Diffie-Hellman (CDH) problem is defined as follows: given a tuple (g, gα, gγ), compute gαγ.
Definition 2. Given a cyclic group G of order p and a generator g of G, the Decisional Diffie-Hellman (DDH) problem is defined as follows: given a tuple (g, gα, gγ, gδ), decide whether αγ = δ.
Definition 3. Given a cyclic group G of order p and a generator g of G, the chosen-target Computational Diffie-Hellman (chosen-target CDH) problem [19]
is defined as follows: given set Z = {z1, . . . , zn} ∈ Gn a random public key y = gx and access to a helper oracle (·)x, output a set V = {v1, . . . , vl} ∈ Gl, such that for all i ∈ {1, . . . , l} there exists a zj ∈ Z with zj = vxi, with less than l queries to the helper oracle. This problem is equivalent to the CDH problem if no access to the helper oracle is given.