MyPrivacy is an Austrian cybersecurity start-up specialized in advanced cryptography. The company was founded in 2018 and received seed funding from the Federal Ministry and aws (Austria Wirtschaftsservice), as well as funding from FFG. We at MyPrivacy made it our vision to make the public cloud a safe space for sensitive data. With SafeSpace we set new standards for the protection of data and user privacy.
What is SafeSpace?
SafeSpace is our technology, that can be used to protect any kind of data stored in untrusted environments like public clouds, providing the data owner full access control and complete anonymity.
Our Research & Development in a Nutshell
Scalable anonymous credentials for privacy-preserving encrypted file sharing
The use of online file sharing services enables the system operator to collect a variety of metadata about users. Among other things, this metadata reveals when users log in, when they access a file, and who else has accessed that file. This discloses a lot of contectual information, especially which users know and interact with each other. This problem remained unsolved despite the new generation of end-to-end encrypted file sharing services that emerged during the last decade. These services focused solely on protecting file content but allowed users to be monitored by the system operator or an attacker with elevated privileges.
Online file sharing services rely on traditional digital credentials. Users log in on a server, obtain a token and requesr access to encrypt files using that token. Credentials are stored and revoked on the server. Traditional credentials allow the server to identify users and observe their activities, permissions, connections, and interactions.
In order to resolve the privacy issues that come with traditional credentials, the cryptographic community put forth the notion of anonymous credentials. These credentials make use of digital signature schemes like CL, BBS+ and PS, in order to provide an efficient and anonymous way of issuing credentials in the form of short signatures with selective disclosure. However, they lack an efficient revocation mechanism.
This raises the following question: How can frequent revocations be managed? Dynamic accumulators allow for efficient addition, removal, and proof of membership and non-membership regardless of the number of elements. However, every addition and removal of an element has an impact on all other elements since their (non-)membership witness must also be updated.
So, how can anonymous credentials be virified? Non-interactive proofs of knowledge can be applied to pairing-based signature schemes (i.e., CL, BBS+ and PS) as well as to dynamic accumulators. Furthermore, it is possible to construct composite zero-knowledge proofs providing evidence of multiple connected statements. All these can be extended with commitments the user must include in every proof. These commitments record the creator of the proof in an encrypted yet unforgeable way.
We selected and combined these cryptographic primitives in a unique fashion to create a scalable and high-performance anonymous credential system for privacy-preserving file sharing with the following properties:
- efficient issuance and management of credentials, allowing the credentials to contain constraints, e.g., write-access without expiration but restricted to a particular file or read-access to any file but limited to a period of 5 days;
- efficient revocation of credentials, allowing for instant deactivation of user accounts or their access to shared files, applicable in large scale installations with frequent deactivations e.g., tens of thousands per day;
- fast proving and verification of anonymous credentials and additional properties of linkable requests, e.g., allowing the user and authorities to resolve disputes regarding the originator of the requests.
Our protocol utilizes redactable signatures for issuing credentials. Users obtain and store a single short signature on a set of constraints from which they can derive individual signatures with a single constraint on-demand, e.g., for requesting a specific file on a given date. We combine this with a dynamic accumulator representing the set of valid credentials. Users obtain the membership witness of their credentials from the issuer and update it based on the information the issuer publishes upon every revocation. In order to support frequent revocations and allow users to be offline most of the time,this information is provided in batches for past periods of time so that the users can update their witness efficiently when they go online.
To ensure unlinkable authorization of user requests, every request carries a proof of the credential´s signature and membership in the accumulator as well as commitments to values that were blindly signed by the issuer of the credentials. These values enable authorities to trace or audit the anonymous requests on demand and give users the ability to deny being the sender of a specific request.
Our protocol provides fast on-demand proof generation and verification upon requesting encrypted chunks of files from the server. The server ensures proper authorization of the requests without learning anything that would weaken the anonymity of requests. This way we prevent surveillance of users, which is a unique propert of our system compared to other secure file sharing solutions on the market.