实用隐私保护身份验证：基于第三方云服务与全同态加密（数据编码在电路深度管理中的作用） (Practical Privacy-Preserving Identity Verification using Third-Party Cloud Services and FHE (Role of Data Encoding in Circuit Depth Management))

from arxiv, A preliminary version of this work was presented (without proceedings) at the Turing Trustworthy Digital Identity International Conference 2022 at The Alan Turing Institute, London, UK, on Sep. 16, 2022. The recently updated version now contains a detailed security analysis

National digital identity verification systems have played a critical role in the effective distribution of goods and services, particularly, in developing countries. Due to the cost involved in deploying and maintaining such systems, combined with a lack of in-house technical expertise, governments seek to outsource this service to third-party cloud service providers to the extent possible. This leads to increased concerns regarding the privacy of users' personal data. In this work, we propose a practical privacy-preserving digital identity (ID) verification protocol where the third-party cloud services process the identity data encrypted using a (single-key) Fully Homomorphic Encryption (FHE) scheme such as BFV. Though the role of a trusted entity such as government is not completely eliminated, our protocol does significantly reduces the computation load on such parties. A challenge in implementing a privacy-preserving ID verification protocol using FHE is to support various types of queries such as exact and/or fuzzy demographic and biometric matches including secure age comparisons. From a cryptographic engineering perspective, our main technical contribution is a user data encoding scheme that encodes demographic and biometric user data in only two BFV ciphertexts and yet facilitates us to outsource various types of ID verification queries to a third-party cloud. Our encoding scheme also ensures that the only computation done by the trusted entity is a query-agnostic "extended" decryption. This is in stark contrast with recent works that outsource all the non-arithmetic operations to a trusted server. We implement our protocol using the Microsoft SEAL FHE library and demonstrate its practicality.

翻译：国家数字身份验证系统在有效分配商品和服务方面发挥着关键作用，尤其在发展中国家。由于部署和维护此类系统涉及成本高昂，加之缺乏内部技术专长，政府倾向于尽可能将此项服务外包给第三方云服务提供商。这引发了用户个人数据隐私的日益关注。本文提出一种实用的隐私保护数字身份验证协议，其中第三方云服务处理使用（单密钥）全同态加密方案（如BFV）加密的身份数据。尽管政府等可信实体的角色未被完全消除，但本协议显著降低了此类实体的计算负担。利用全同态加密实现隐私保护身份验证协议的挑战在于支持多种查询类型，例如精确和/或模糊的人口统计与生物特征匹配，包括安全的年龄比较。从密码工程角度，我们的主要技术贡献在于提出一种用户数据编码方案，该方案仅用两个BFV密文对人口统计和生物特征数据进行编码，同时支持将各类身份验证查询外包至第三方云。该编码方案还确保可信实体仅需执行与查询无关的“扩展”解密操作，这与近期将全部非算术运算外包至可信服务器的研究形成鲜明对比。我们使用Microsoft SEAL全同态加密库实现了该协议，并验证了其实用性。