Pepal: Penalizing multimedia breaches and partial leakages

Abstract

Storage of media files by users at a third party, like cloud services or escrows, is increasing every day along with the risk of stored files being leaked through breaches from third parties. In this article, we study the problem of handling either intentional or unintentional multimedia storage breaches by the entity hosting the data. To address the problem, we design the Pepal: protocol where the sender forwarding multimedia data to a receiver can penalize the receiver through loss of cryptocurrency even for partial data leakage. Pepal: achieves this by augmenting a blockchain on-chain smart contract between the two parties with an off-chain cryptographic protocol. The protocol involves a new primitive doubly oblivious transfer (DOT), which, when combined with robust watermarking and a claim-or-refund blockchain contract, provides the necessary framework for a provably secure protocol. Any public data leakage by the receiver leads to the sender learning the receiver’s crypto-currency secret key, which allows him to transfer the claim-or-refund deposit of the receiver. The Pepal: protocol also ensures that the malicious sender cannot steal the deposit, even by leaking the original multimedia document in any form. We analyze our DOT-based design against partial adversarial leakages and show it to be robust against even small leakages. The prototype implementation of our Pepal: protocol shows our system to be efficient and easy to deploy in practice.

Appendices

Appendix A: 1-out-of-2 Verified Simplest Oblivious Transfer:

Fig. 11

1-out-of-2 Oblivious Transfer [22]

In this protocol, by Doerner et.al. [22] (an augmented version of Oblivious Transfer by Chou et al. [19]), given a multiplicative group \(\mathbb {G}\) and its generator g, the sender initially chooses a random value \(a \leftarrow _R \mathbb {Z} _q\) and the receiver chooses a random value \(r \leftarrow _R \mathbb {Z} _q\). The sender transmits \(h=g^a\) to the receiver who computes \(c=g^{ab+r}\) and transmits to the sender. The sender then computes two keys \(k_0\) and \(k_1\) as \(k_0=H(c^a)\) and \(k_1=H(ch^{-1})^a\) and computes a challenge \(p = H(H(k_0)) \oplus H(H(k_1)\) and forwards it to the receiver. The receiver computes the key \(k_b = H(h^r)\) and returns \(p' = H(k_b) \oplus pb\). After verifying if \(p'= H(H(k_))\), the sender encrypts \(M_0\) and \(M_1\) using these two keys generating \(C_0\) and \(C_1\) which are then forwarded to the receiver. The receiver decrypts the message \(M_b\) using the key \(k_c=h^r\). Depending on b, only one of \(k_0\) and \(k_1\) would be equal to \(g^{ar}\) computed by the receiver. The other key \(g^{ar-r^2}\) can not be computed by the receiver and hence learns no information about \(M_{b-1}\). As the sender just encrypts and forwards the two messages, learns no information about the bit b. Figure 11 provides the depiction of the protocol. The advantage of adding the verification step is that it forces the receiver to compute the keys before receiving the encryptions and makes the protocol (UC)secure in the real-world ideal paradigm.

Functionality \(\mathcal {F}^{DL}_{ZK}\) [22] The functionality is parameterized by group \(\mathbb {G}\) and runs with two parties \(P_1\) and \(P_2\). The parties can be sender \(\textsf{S}\) and receiver \(\textsf{R}\).

Proof: On receiving \((\textsf {prove}, a, \textsf {g})\) where \(a \in \mathbb {Z}_q, \textsf {g} \in \mathbb {G}\) from party \(P_i\), store this message. On receiving, \((\textsf {prove}, h, \textsf {g})\) from party \(P_j\), where \(h, \textsf {g} \in \mathbb {G}\), if \(h = \textsf {g}^a\), send \((\textsf {accept})\) to \(P_j\), otherwise send fail to \(P_j\).

The parties can be sender \(\textsf{S}\) and receiver \(\textsf{R}\). The parties use the functionality \(\mathcal {F}^{DL}_{ZK}\) to prove in zero-knowledge, that they own the secret keys of the corresponding public keys.

Appendix B: Forwarded Proofs for DOT, CROT and Pepal:

Theorem 1

The DOT protocol UC-realizes the functionality \(\mathcal {F}_{\textsf {DOT}}\) in the \(\mathcal {F}_{OT}\)-hybrid model under the following conditions:

Corruption Model: Static corruption (the sender or receiver is corrupted at the beginning of the protocol).

Hybrid Functionalities: H is modelled as a random oracle and secure channels between the parties are assumed.

Computational Assumption: The encryption scheme used in the initial step is symmetric, non-committing and robust [19]. Group used for \({{\textsf {OT}}_1^2}\) module \(\textsf{G}\) is a Gap-DH group.

Proof

We prove the security of DOT by constructing a simulator which generates an indistinguishable view in the real world - ideal world paradigm for the adversary. The parties use the functionality \(\mathcal {F}^{DL}_{ZK}\) to prove in zero-knowledge, that they own the secret keys of the corresponding public keys.

Malicious Sender

• Receive \((\textsf {prove},sk_{\textsf{S}}, pk_{\textsf{S}})\) on behalf of \(\mathcal {F}^{DL}_{ZK}\). On accepting, forward \(\textsf {accept}\) to the sender, else abort.

• Answer all oracle queries of the sender randomly and store the query and reply pairs in the form of \((q_k, r_k)\).

• Receive the encrypted messages \(\widehat{Enc}_i\), \(i \in \{0,1\}\) from the sender and participate in oblivious transfer for the next step.

• Set the bits \(s_i\), \(i \in \{0,1\}\) randomly with values from \(\{0,1\}\) as choice bits before participating in the \({{\textsf {OT}}_1^2}\) protocol.

• For \({{\textsf {OT}}_1^2}\) part of the protocol, invoke multiple instances corrupted sender phase of the simulator of the UC-secure OT [22] developed by Chou et al. [19, 27] (call it, \(\mathcal {S}_{OT}\)). The simulator \(\mathcal {S}_{OT}\) extracts the sender inputs for each of the instances; obtain the inputs.

• Perform the operations like an honest receiver. Receive the elements \(u_{i,s_i}\) and try to decrypt (own layer of encryption, the sender is expected to encrypt the messages with \(\mathcal {E}_{pk}(.)\)).

• If any of the received elements results in an error during decryption, abort. Else, re-randomize the encryption using \(\mathcal {R}_{pk}(.)\) to obtain \(v_{i, s_i}\) and forward them back to the sender. Receive an encrypted group element as \(x_{c,s_c}\), try to decrypt and hash it to obtain the decryption key. Decrypt one of the received messages with the obtained key. If it results in an error, abort.

• Decrypt the initial \(\widehat{Enc}_i\) as follows: for each i, k, from the initially stored pairs \((q_k, r_k)\), perform \({Dec}_{r_k}(\widehat{Enc}_i)\). The first value that gets decrypted meaningfully is set as \(M_i\) for any i. If no key \(r_k\) decrypts meaningfully, set \(M_i = \perp \).

• Obtain the choice bit c of the sender as follows: during the \({{\textsf {OT}}_1^2}\) protocol, the simulator \(\mathcal {S}_{OT}\) extracts the message inputs of the sender side [19] and forwards them to \(\mathcal {S}_{DOT}\). For each \({{\textsf {OT}}_1^2}\) instance i, \(\mathcal {S}_{\textsf {DOT}}\) receives two messages \(g_{i,0}, g_{i,1}\) from \(\mathcal {S}_{OT}\), the simulator \(\mathcal {S}_{\textsf {DOT}}\) stores all the elements in the form of \(g_{i,j}\). For each i, the simulator checks which of the elements \(g_{i,j}\), \(j \in \{0,1\}\), matches with the decrypted element (obtained from sender in the last step of the protocol). Whenever a match is seen, c is set to i.

• Forward the messages \(M_i\), \(i \in \{0,1\}\) and choice bit c to the ideal functionality \(\mathcal {F}_{\textsf {DOT}}\).

The adversary can not distinguish between a real world view and simulated view owing to the following facts: the simulator \(\mathcal {S}_{OT}\) is UC-Secure [22]; ElGamal encryption offers semantic security when DDH is hard; the real world honest receiver’s output will be different only if the simulator decrypts the encryptions received to a different value apart from the ones used by the sender, but this happens with a negligible probability owing to the robustness of the encryption scheme.

Malicious Receiver

• Receive \((\textsf {prove},sk_{\textsf{R}}, pk_{\textsf{R}})\) on behalf of \(\mathcal {F}^{DL}_{ZK}\). On accepting, forward \(\textsf {accept}\) to the receiver, else abort.

• Generate two strings \(C_1 \leftarrow \mathcal {A}_1(1^\lambda ) \) and \(C_2 \leftarrow \mathcal {A}_1(1^\lambda )\) and forward to the receiver.

• Sample four group elements \(g_{i,j}\) for \(i,j \in \{0,1\}\) and encrypt them using ElGamal encryption \(\mathcal {E}_{pk}(.)\) to obtain \(u_{i,j}\).

• Performs two instances of \({{\textsf {OT}}_1^2}\) and use \(u_{i,j}\) as inputs for instance i of \({{\textsf {OT}}_1^2}\).

• The receiver inputs \(s_i\) to the \({{\textsf {OT}}_1^2}\) instance i. For the \({{\textsf {OT}}_1^2}\) protocol, the simulator invokes the corrupted receiver phase of simulator of Verified Simplest Oblivious Transfer [22] (call it \(\mathcal {S}_{OT}\)).

• Obtain re-randomized elements \(v_{i,s_i}\), decrypt own layer of encryption using \(\mathcal {D}_{sk_S}()\) to obtain \(x_{i,s_i}\) and forward \(x_{c, s_c}\) for a randomly chosen bit c.

• Answer all oracle queries randomly except at the points \(g_{i,j}\). When queried on any of the points \(g_{i,j}\), sends the bits j, j to the functionality and obtain the message \(m'\).

• Reply to the query with a key \(k \leftarrow \mathcal {A}_2(C_p, m')\) where p is uniformly picked from \(\{1,2\}\) for every instance of the simulation.

The receiver can not distinguish the real and simulated view. This is because: ElGamal encryption offers semantic security when DDH is hard, \({{\textsf {OT}}_1^2}\) used is UC-secure [22] and the fact that when the simulator does not abort, the indistinguishability holds from non-committing property of the encryption scheme. The UC-security of the DOT follows from Definition 1. \(\square \)

Theorem 2

The CROT protocol UC-realizes the ideal functionality \(\mathcal {F}_{\textsf {CROT}}\) in the \(\mathcal {F}^{DL}_{ZK}\)-hybrid model under the following assumptions:

Corruption Model: static corruption

Hybrid Functionalities: H is modeled as a random oracle and authenticated channels between users are assumed.

Computational Assumptions: \(\textsf{G}\) is Gap-DH. The symmetric encryption used is non-committing and robust.

Proof

The simulator \(\mathcal {S}_{\textsf {CROT}}\) interposes between a corrupted party and the CROT functionality \(\mathcal {F}_{\textsf {CROT}}\). The verified OT is a “Selective-Failure" Oblivious Transfer, in which the sender can guess the choice bit of the receiver and if the guess is correct, he will be notified it is correct and the receiver is not informed of the same. However, in our CROT protocol, all the messages are transferred simultaneously. For the sender to guess the receiver’s choice bits, they need to guess all the bits simultaneously. The probability of the sender guessing all the receiver bits correctly is negligible.

Malicious Sender

The simulator \(\mathcal {S}_{\textsf {CROT}}\) interposes between a malicious sender and the CROT functionality \(\mathcal {F}_{\textsf {CROT}}\), it outputs the sender’s messages \(M_{i,0}, M_{i,1}\).

• Receiver \((\texttt {prove}, a, A)\) from sender on behalf of \(\mathcal {F}_{ZK}^{R_{DL}}\). On receiving \((\texttt {accept,A})\) forward it to the sender, else abort.

• Sample random values \(s_i, r_i, i \in [0, \kappa -2] \) and compute the corresponding \(c_i = \textsf {g}^{r_i}\textsf {h}^{s_i}\) and compute \(s_{\kappa -1}, r_{\kappa -1}\) such that \(\prod _{i=0}^{\kappa -1} = \textsf {g}^{r}\textsf {pk}^a\) where \(r = \sum _{i=0}^{\kappa -1}2^i r_i\). Compute ZK-PoKs \(\pi _i\) proving the knowledge of \(r_i, s_i\) for each \(\textsf {g}^{r_i}\textsf {h}^{s_i}\). Forward \(\textsf {g}^r, c_i, \pi _i\) to the sender.

• Invoke \(\mathcal {F}^{DL}_{ZK}\) to prove that the sampled bits correspond to the public key pk

• Compute the pads \(k_{i,j} = H(c_i \cdot h^{-j})^a\). Compute the expected challenges as \(p^{\text {exp}}_i = H(H(k_{i,0})) \oplus H(H(k_{i,1}))\)

• Upon receiving the sender’s challenges \(p_i\), If for any i, \(p_i = p_i^{\text {exp}}\), then set the \(p'_i = H(H(k_{i,0}))\) and add \((\texttt {guess}, s_i')\) to the set \(\mathcal {G}\); Otherwise, let \(\mathcal {Q}\) be the set of all queries made by the sender to the random oracle. If there exists queries \(Q_j\) such that such that \(H(Q_j) = p_i \oplus H(H(k_{i,1}))\) then set \(s'_i = 1\). Otherwise set \(s'_i = 0\). Add \(\textsf {guess}, s_i'\) to the set \(\mathcal {G}\). Send the set \(\mathcal {G}\) to \(\mathcal {F}_{\textsf {CROT}}\). If cheat-undetected is received, send \(k'_i = H(H(k^{s'_i}))\) to the sender. Otherwise send \(k'_i = H(H(k^{s'_i}))\) and halt.

• Upon receiving the cipher texts \(C_{i,j}\) decrypt them using \(k_{i,j}\) and send them to the functionality \(\mathcal {F}_{\textsf {CROT}}\).

Malicious Receiver

The simulator interposes between the ideal functionality \(\mathcal {F}_{\textsf {CROT}}\) and the malicious receiver. It outputs the choice bits \(s_i\) of the receiver and the corresponding message chosen \(M_{i, s_i}\). It makes use of the random oracle H and the functionalities \(\mathcal {F}^{R_{DL}}_{ZK}\)

• Sample \(a \in \mathbb {Z}_p\) and compute \(\texttt {g}^a\) to the receiver on behalf of the functionality \(\mathcal {F}^{DL}_{ZK}\).

• Receive \(g^r, c_i, \pi _i\) from the receiver just like an honest sender. Verify the proofs and abort if any of the forwarded proofs fail.

• Compute the keys \(k_{i,j}\) like an honest sender.

• Observe the random oracle queries of the receiver. If the receiver ever queries \(k_{i,0}\) set \(s_i=0\). If they every query \(k_{i,1}\) set \(s_i = 1\). Once \(b_i\)s are set, send \(s_i\) to the the functionality \(\mathcal {F}_{\textsf {CROT}}\) and receiver no-cheat.

• Run the verification as the honest sender would.

• Upon receiving the messages \(M_{i, s_i}\) from the functionality, set the corresponding ciphertexts as \(C_{i,s_i} = E_{k_{i, s_i}}(M_{i, s_i})\) and set the other ciphertexts to random values.

In the malicious sender case, the first message received by the consists of the \(\textsf {g}^r, c_i, \textsf {PoK}\). Since r is picked randomly, the view of the sender is identical in both the worlds. The simulator \(\mathcal {S}_{\textsf {CROT}}\) receives the value a on behalf of the functionality \(\mathcal {F}^{DL}_{ZK}\) and so can compute the values \(r_i, c_i\) such that the zero-knowledge proof and verification check hold. It can also compute the the keys \(k_{i,j}\) and hence verify if the challenges received \(p_i\) are correct.

During the verification phase of the transfer, the sender is required to compute values \(H(H(k_{i,0})),H(H(k_{i,1}))\), only one set of the hashes are known to the receiver which correspond to \(H(H(k_{i, s_i}))\). To induce a selective failure, the sender can try to guess the receiver bits and set random values for the opposite ones while calculating the challenges \(p_i\), To guess all the bits correctly and simultaneously, the sender succeeds only with negligible probability \(\frac{1}{2^{\kappa }}\). All the oracle queries made by the sender can be used to compute the sender’s guesses in the protocol which can be forwarded to the functionality which aborts if the guesses are incorrect. After this point, the simulator behaves like an honest real world receiver and forwards all the messages accordingly and aborts under same conditions. There the view of the malicious sender under the real world execution of the protocol is indistinguishable from its view while interacting with the simulator \(\mathcal {S}_{\textsf {CROT}}\), he can distinguish the view with no better probability than \(\frac{1}{2^{\kappa }}\).

In the malicious receiver case, h is chosen by the simulator and \(c_i\) is chosen by the receiver. These values fix the computed keys \(k_{i,j}\) to be computed. The receiver can not guess the \(k_{i,s_i}\) values except with probability of \(\frac{1}{2^\kappa }\) for each. When the receiver queries the random oracle, the simulator records the queries and finds the corresponding choice bit \(s_i\). If the receiver can query the random oracle at \(k_{i, s_i}\) and \(k_{i, 1-s_i}\), then the simulator can not compute the choice bit. However the receiver can not make both those queries, as any such receiver breaks the CDH assumption. The rest of the simulator steps follow a honest sender and the view generated is identically distributed to the real-world paradigm. Thus the view of the malicious receiver is identical in the real world and the ideal world paradigm if the CDH problem is hard in the group selected. \(\square \)

Theorem 3

The Pepal: protocol securely implements the ideal functionality \(\mathcal {F}_{\textsf {Pepal:}}\) in the \(\mathcal {F}_{DOT}, \mathcal {F}^{DL}_{ZK}\) hybrid model under the following assumptions:

Corruption Model: static corruption

Hybrid Functionalities: H is modeled as a random oracle and authenticated channels between users are assumed.

Computational Assumptions: CDH and DDH are assumed to be hard in \(\mathbb {G}\), \(\textsf{G}\) is Gap-DH. The symmetric encryption used is non-committing and robust.

Proof

Pepal: protocol uses DOT which internally uses CROT instead of multiple instances of the standard \({{\textsf {OT}}_1^2}\) for the transfer of messages/document blocks from the sender to the receiver. The simulator for the Pepal: protocol simply invokes the corresponding simulator \(\mathcal {S}_{\textsf {DOT}}\) which invokes the simulator \(\mathcal {S}_{\textsf {CROT}}\) instead of instances of \(\mathcal {S}_{OT}\). The UC-security of the CROT protocol is already established through Theorem 2.

Malicious sender

The simulator \(\mathcal {S}_{\textsf {CROT}}\) interposes between a malicious sender and the Pepal: functionality \(\mathcal {F}_{\textsf {Pepal:}}\).

• Receive \((\textsf {prove},sk_{\textsf{S}}, pk_{\textsf{S}})\) on behalf of \(\mathcal {F}^{DL}_{ZK}\). On accepting, forward \(\textsf {accept}\) to the sender, else abort.

• Sample a random secret key \(sk_{R'}\) and parse the bits of the secret key into \(s_i, i \in [0, \kappa -1]\) and participate in the DOT protocol.

• Invoke the malicious sender phase of the simulator \(\mathcal {S}_{\textsf {DOT}}\) for the same.

• The simulator \(\mathcal {S}_{\textsf {DOT}}\) receives the ElGamal encryptions from the sender just as a receiver would

• For the message transfer, \(\mathcal {S}_{\textsf {DOT}}\) inturn invokes a single instance of the malicious sender phase of the CROT simulator \(\mathcal {S}_{\textsf {CROT}}\) (instead of multiple instances of \(\mathcal {S}_{OT}\)) during the transfer phase.

• The simulator \(\mathcal {S}_{\textsf {CROT}}\) after interacting with the malicious sender, outputs the sender messages \(u_{i,j}\). Since the simulator acts as the receiver it has access to \(sk_{\textsf{R}}\). It also has access to \(sk_{\textsf{S}}\) through the \(\mathcal {F}^{DL}_{ZK}\) functionality. Hence it can decrypt the messages \(u_{i,j}\).

• After this the simulator behaves like a honest receiver and participates in all the further protocol steps.

• The keys \(u_{i,j}\) are used to decrypt the messages \(M_{i,j}\). Forward the messages \(M_{i,j}\) to the functionality \(\mathcal {F}_{\textsf {Pepal:}}\) as \(\langle \textsf {inputS}, M_{i,j}, \pi , sid \rangle \) for the session id sid.

Malicious receiver The simulator \(\mathcal {S}_{\textsf {CROT}}\) interposes between a malicious receiver and the Pepal: functionality \(\mathcal {F}_{\textsf {Pepal:}}\).

• Receive \((\textsf {prove},sk_{\textsf{R}}, pk_{\textsf{R}})\) on behalf of \(\mathcal {F}^{DL}_{ZK}\). On accepting, forward \(\textsf {accept}\) to the receiver, else abort.

• Invoke the malicious receiver phase of the simulator \(\mathcal {S}_{\textsf {DOT}}\) which forwards the encryptions of the keys.

• As a part of steps of \(\mathcal {S}_{\textsf {DOT}}\), invoke the malicious receiver phase of \(\mathcal {S}_{\textsf {CROT}}\) instead of multiple instances of the simulator \(\mathcal {S}_{OT}\).

• \(\mathcal {S}_{\textsf {CROT}}\) outputs the choice bits \(s_i\) of the receiver.

• Forward the choice bits to the functionality \(\mathcal {F}_{\textsf {DOT}}\) to obtain the messages \(M_{i, s_i}\).

• Use the receiver bits \(s_i\) through DOT simulator to set the encryptions which can be opened by the receiver to the values forwarded by the functionality \(\mathcal {F}_{\textsf {DOT}}\).

The simulator \(\mathcal {S}_{\textsf {Pepal:}}\) is the simulator \(\mathcal {S}_{\textsf {DOT}}\) which invokes the simulator \(\mathcal {S}_{\textsf {CROT}}\) instead of multiple instances of \(\mathcal {S}_{OT}\) for the transfer protocol. The UC-security follows from the UC-security of the DOT and the CROT protocols. \(\mathcal {S}_{DOT}\) which internally invokes \(\mathcal {S}_{\textsf {CROT}}\) (instead of \(\mathcal {S}_{OT}\)), produces an indistinguishable view for the adversary in the real world-ideal world paradigm.

\(\square \)